“Where there is data smoke, there is business fire.” — Thomas Redman
In today’s Life Sciences companies, there are typically large numbers of IT assets moving both between organizations inside corporations and between organizations in different corporations. Many a time you can find a significant amount of poorly documented “throw-away” applications, websites and mobile apps that are missing or have incorrect classification information being passed on between different stakeholders like a hot potato.
Even more significantly, in numerous M&As activities, applications have been found being GxP relevant without having that classification attributed, and consequently, no validation documentation to demonstrate compliance is available. Worse still, some applications being classified as GxP, where in reality they were fulfilling the definition of Software as a Medical Device, without having either that classification or the corresponding technical documentation to meet the applicable regulatory requirements.
Going down from the variety of classifications and lacking classifications, it is often the case that a sizeable number of gaps can be found, especially at the documentation level, the process level, and the operations level.
Examples at the documentation level include systems classified as GxP where neither User Requirements Specifications, Functional Specifications, Design Specifications nor testing evidence was available. On top of this, more than 20 years after the introduction of 21 CFR Part11, applications are still lacking proper evidence that they fully comply with applicable Electronic Records / Electronic Signature (ERES) requirements (21 CFR Part11 / Annex 11). On a similar scale, even the new applications have no vendor assessment documented, even when they are of a high criticality to the patients.
Furthermore, at the process level, the applications have often been developed without any SDLC process defined in the absence of secure coding guidelines in place. Sometimes issues arise with the completeness of validations documentation, that they haven’t been properly approved. Moreover, in some cases, the medical information/ advice content in some web applications and mobile apps is not formally approved.
Finally, at operations level there is surprisingly often a lack of procedures in place for the system maintenance / operational phase, e.g. backup and restore procedure, disaster recovery plan and testing, problem management, identity access management procedures, business continuity procedures, etc. In addition, some systems have been decommissioned without following a formal and documented retirement process, including a proper records disposition strategy, but most critically there have been examples where absolutely no change management process was in place.
What can be done to counter the gaps in an effective way? There are several trusted pillars for taking on any large-scale remediation activities like this:
- Use a qualified Application Lifecycle Management (ALM) tool and incorporate all the existing System Lifecycle Documents (SLD) into the tool as the current documentation baseline and retire (archive) the previous documentation, if existing.
- Produce a full trace with all requirements, levels of test specifications and test results in the ALM tool.
- Perform a (periodic) review and update of the key assessments of the application, in order to assure it is properly validated.
- If possible, automate the regressions tests, in order to allow future change management to adopt a fast release cycle, which is expected by the agile community. Regression test the application using the new baseline documentation.
- Onboard the application to all basic ITIL processes which of course should already be implemented in an IT Service Management tool: Release Management, Asset Management, Configuration Management, Problem Management, Change Management, Identity Access Management et al.
KVALITO consulting Group works with diverse Life Science companies in Merger, Acquisition and Divestment projects supporting smart quality, compliance and project management.
If you would like to engage KVALITO in your next Merger, Acquisition and Divestment project, feel free to send us an email to contact@kvalito.ch.
Author: Lars-Eric Winqvist Senior Life Sciences Consultant / co-Author: Rodrigo Alvarez Sanchez, Life Science Consultant