No Panacea
SaaS (software as a service) systems appear to be the panacea for organizations wishing to reduce their overall IT costs and the burden of managing IT departments. In some cases, companies have completely outsourced their IT functions to external service providers. Making it someone else’s problem seems ideal when one’s core business is anything but IT: SaaS solutions allow companies to outsource the technology and get access to new functionality through frequent software updates.
Too Good to be True
SaaS vendors position themselves in such a way to make it appear that with the ‘click of a button’, functional area managers can begin to use systems that used to take months to implement. Who wouldn’t want to choose this option? This is especially true with systems subject to 21 CFR Part 11 compliance and validation in the life sciences space. These vendors perform validation to a point within their software development and support activities and typically outline their compliance in a white paper that is available somewhere on their website or upon request.
Validation Work Needed
There is something that is often overlooked by life sciences customers in that these companies must validate for intended use. The vendor cannot meet this requirement without some level of validation effort on the part of the life sciences company. This is not the vendor’s responsibility nor is it their obligation. This is usually outlined in small print in the SaaS provider’s 21 CFR Part 11 white paper thereby allowing vendors to say that they have informed their customers when, in fact, most of the customers do not read these documents. In fact, it is quite common for these vendors to imply that they provide a ‘validated solution’ and that no additional work is required.
Life Sciences Companies at Risk
This can put life sciences companies at risk during regulatory audits or inspections in that they may not be able to effectively demonstrate compliance with 21 CFR Part 11 and therefore may not be able to assert that their data has integrity. This can be incredibly damaging if, the FDA decides that certain data included in a regulatory submission was created or maintained in a system that was deemed non-compliant and therefore had to be excluded from the submission. Imagine the impact on a biotech company’s valuation if they’ve received a complete response letter because the data in their submission lacked integrity.
Risk-Based Approach
The good news is that there is no single way to handle computer validation. It’s all about taking a risk-based approach. This allows each life sciences company to decide the risk level for each system and determine the appropriate approach to validation and control based on this assessment. But, and this is a big but, the company needs to perform this assessment, provide justification, and document it.
Vendors Are Not the Answer
The vendor, with very few exceptions, doesn’t generally provide guidance on this and most functional area managers don’t perform this activity because they don’t know to do it and without Quality or IT to guide on best practices, this critical activity is often overlooked.
Quality as an Afterthought
For a lot of life sciences companies, quality is an afterthought when it comes to IT related systems. 21 CFR Part came into effect in 1997 and 20 years later, most life sciences companies don’t take it seriously. The FDA has been a bit slow on enforcement when it comes to data integrity, but we are starting to see more enforcement actions around data integrity and it is my strong belief that we will see complete response letters because life sciences companies will not be able to demonstrate data integrity for data included in regulatory submissions.
How to Reduce Risk
How does a life sciences company reduce risk exposure if Quality and IT are not involved in the purchasing decision? How does a company make sure that the SaaS solutions are selected, implemented and operated in compliance with relevant regulations?
Since the functional area managers are the ones making the purchasing decisions, it makes sense to train them but in many organizations, this area is one of the last considered when developing standard operating procedures and most will self-select out of the SOPs governing anything related to IT anyway.
Another stop-gap could be to train purchasing and legal but if they aren’t involved in the purchasing process, they won’t be able to provide the appropriate guidance. And once the invoices get to accounting, it’s already too late.
The best way to reduce the risk is to recognize that data integrity is as important as clinical trials as preparing data for regulatory submissions and protecting IP. IT is not just access to email and Google. If you don’t know what data is important based on predicate rules, talk to a professional before signing on the dotted line.