In our journey towards understanding the CSV process better, we have described in previous blog posts, the topics where CSV is used, the CSV life cycle, the V-model in the validation of computerized systems (‘CS’ hereafter) and we have also examined the risk-based approach used in validating CSs. In this post we focus on the relationship between the supplier of the CS and the GxP-regulated company. We examine the significance of the supplier during the CSV process in the GxP-regulated organization and we address the following questions:
- Who is considered a supplier of CSs?
- What are some important attributes of suppliers of CSs?
- What is the supplier’s role in CSV?
- How is the assessment of CS suppliers linked to the implementation of a CS in a GxP-regulated environment?
For the explanation of any acronyms mentioned here that are not explained in this blog post, please refer to Ref.1, Ref.2 or Ref.3 for the explanations. GxP refers to Good [Manufacturing, Laboratory, Clinical] Practices.
Who is considered a supplier of computerized systems (CSs)?
A supplier is a party that supplies goods or services to a customer. Another word used to describe a supplier is the term ‘vendor’. The GAMP5 guideline uses the term ‘supplier’ to describe the manufacturer of a CS, the provider of CS software, or the provider of IT-related services; so, to be consistent with the GAMP5 we will use the term ‘supplier’ throughout this post.
A supplier can be an external entity or an internal department of an organization. We focus here on suppliers who provide products or services to GxP-regulated companies, which are also referred to as the ’customer’. Meeting regulatory requirements demonstrates the supplier’s capability towards managing and controlling the product or services they provision.
Fig.1. Overview of the types of products or services a supplier of CSs can provide to GxP-regulated companies. Note: XaaS: X = S, P, I; for Software, Platform, Infrastructure as a Service, or SaaS, PaaS, IaaS, respectively.
Attributes of suppliers of CSs
Suppliers of CSs have for some time now come to the realization that their products and services are better received by the life sciences GxP-regulated industry when they show evidence that they follow this industry’s standards (eg. FDA Code of Federal Regulations, EudraLex) and guidelines (eg. Ref.4, Ref. 5, Ref.6, Ref.7). It is also advantageous for suppliers of CSs to be certified by relevant agencies (eg. ISO9001, ISO9126, IEEE1298) and to show that they follow GxP practices with existing SOPs. It is also good to maintain a robust Quality Management System (QMS), which manages and tracks various processes, such as change control, incident management, document management, personnel training records and periodic re-evaluation. A supplier must also hold an agreement (eg. SLA, OLA, UC) with the regulated company/customer. Below is a list of some types of agreements:
- SLA: A Service Level Agreement is an agreement between an IT service provider and a customer.
- OLA: An Operating Level Agreement is an agreement between an IT service provider and another part of the same organization.
- UC: An Underpinning Contract is a contract between an IT service provider and a third party.
- Outsourced Specification: Defines services, assets and organizations to be outsourced.
Last but not least, the supplier must provide experienced and trained subject matter experts as needed. These experts represent the supplier in all communications with the customer in terms of troubleshooting, training, providing additional information and any relevant support. The supplier’s role in CSV is discussed in the next section below.
Fig. 2. Important attributes that a supplier’s resume should contain in order to be well-received by the GxP-regulated company.
The supplier’s role in CSV
The supplier should strive to deliver a working product or good services, understand the customer’s needs, supplement when possible in CSV activities and support the customer throughout the CSV life cycle. Figure 3 lists some important activities where the supplier can play a significant role towards the success of CSV.
Fig. 3. Important areas where the supplier of CSs can play a significant role in CSV.
The supplier of a CS or service provides to its customer a product, accompanied with the relevant subject matter expertise, knowledge and documentation. In the case of a CS, the supplier designs and builds a CS to perform certain purpose and/or has tailored specific functionalities to address customer requirements.
In many cases the supplier’s role may be required to:
- provide support towards the resolution of failures and incidents attributed to the CS
- provide support to the GxP-regulated company during audits and regulatory inspections
- assist the GxP-regulated company in addressing any changes in business requirements affecting the CS
Suppliers are assessed and audited prior to the CS going ‘live’.
Let’s now look at the supplier’s role from a timeline perspective. Below are the three main steps that outline the sequence of the CS implementation in the GxP-regulated environment. These three steps are explained in detail in the following paragraphs:
- Step 1: Supplier validates their CS in-house
- Step 2: Customer assesses or audits the supplier of the CS
- Step 3: Customer validates the CS per business & user requirements
Step 1. First, a supplier creates specific software, hardware or would like to provide IT-related services (as shown in Fig.1) to a GxP-regulated company. These are products/services broadly considered as a CS. The supplier of these products needs to demonstrate that the CS functions and operates as intended and that all supporting documentation is available. This is achieved during Factory Acceptance Testing (FAT) and takes place at the supplier’s site. In terms of services, the supplier needs to show that these services can be provisioned by sufficiently trained and accredited personnel. When all testing is completed, the product can be released commercially, but cannot yet be used in the GxP environment (step 1 in Fig.4).
Step 2. Next, a GxP-regulated company/customer identifies a supplier of a CS that they would like to collaborate with. The customer starts an evaluation and assessment of this supplier. The rationale for assessing the supplier of a CS is to provide a high degree of confidence that the CS they provide has been built and tested according to the necessary quality standards required for a regulated company – or that the services the supplier provides meet the company’s standards. After all, according to Ref.6, “suppliers need to be assessed first before a regulated company outsources to them”. There are several types of assessments and audits, such as basic assessments, postal audits, questionnaires, on-site audits, joint audits and corporate audits (step 2 in Fig.4). More on how these supplier assessments are performed will be described in an upcoming blog post.
Step 3. Finally, once a decision has been made to accept a product or services from the supplier after a successful assessment or audit, the CSV team under the direction/sponsorship of the GxP-regulated company uses the CSV process to validate the CS according to the user and business requirements. It also verifies whether the CS operates and performs as intended within the context of the GxP-regulated organization. The CSV team confirms that the CS meets the business process requirements by validating the CS on the customer site. The team also ensures that the CS interfaces well with other CSs, that acceptable agreements (SLA, OLA, UC) are in place and that the CS abides by the appropriate regulations (local, global, industry-specific). This is achieved during User Acceptance Testing (UAT). Important here is that a degree of trust, dependence and cooperation needs to be present between the supplier of the CS and the GxP-regulated users of this CS. After successful validation, the CS can be used in the live environment, at the customer’s site (step 3 in Fig.4).
The 3 steps described above, are a simplification of what can happen in a real case scenario. Things don’t always go as planned and due to various constraints, failures, budgets, or change of plans, the CS may not get successfully validated, which in this case means that it cannot be used in a ‘live’, productive environment.
Fig.4. Assessment and audit (step 2) links the supplier of the CS (step 1) with the GxP-regulated company that will use this CS (step 3).
In this post we saw the importance of the relationship between the supplier of CSs and the GxP-regulated company/customer. The supplier should provision product or services of high quality and efficient functionality. The customer from their side should also strive to create and maintain a very good working relationship with the supplier, so requirements are met and so ultimately the CS operates as intended. Early and careful planning on how to leverage the supplier’s capabilities throughout the CSV life cycle should also be considered for a successful CSV project.
Keep reading the CSV blog series with Part 5: Audits in CSV
- Have you heard of CSV? Do you want to learn more about it? 09 March 2015.
- Have you heard of CSV? Part2. Do you want to learn even more about it? 24 Apr 2015.
- Have you heard of CSV? Part 3. The risk-based approach in CSV. 17 June 2015.
- GAMP5: A Risk-based approach to Compliant GxP Computerized Systems. ISPE 2008.
- PIC/S Guidance PI 011-3. Good practices for computerized systems in regulated GxP environments. 25 September 2007.
- FDA Guidance for Industry: Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations. September 2006.
- International Conference on Harmonization (ICH) – Pharmaceutical Quality System Q10. 4 June 2008.
Latest posts by Ilias Christodoulopoulos (see all)
- ‘Have you heard of CSV?’ part 6. CSV and the Cloud. - December 21, 2015
- ‘Have you heard of CSV?’ part 5. Audits in CSV. - November 9, 2015
- ‘Have you heard of CSV?’ part 4. Suppliers of Computerized Systems in CSV. - August 6, 2015