As part of their digital strategies, many organisations are currently looking to assess potential vendors for Infrastructure as a Service (IaaS) or Software as a Service (SaaS).
To many organisations, this can pose a challenge with regard to knowing what to look for and what to accept from a particular supplier. The following piece summarises some of the current regulatory requirements with regard to supplier assessment and also provides some clarity on how this may apply to an IaaS or SaaS supplier assessment exercise. Dependent on your organisation, some or all of the following may apply.
Per 21 CFR Part 210 / 21 CFR Part 211 and Eudralex Volume 4 for drug product, and per 21 CFR Part 820 and EU 2017/745 & EU 2017/746 for medical devices, an organisation must be able to demonstrate that their drug products or medical devices are manufactured using validated processes and equipment and that adequate supplier management processes are in place within their Quality Management Systems.
Validated processes include not only the validation of the methods and the machines at the organisations manufacturing location, but also any computerised systems involved. In the case of an outsourced SaaS or IaaS, e.g., e-QMS tools or data hosting on cloud, then this will also include the requirement for the infrastructure to be qualified. As per EU V.4 Chapter 7 Outsourced Activities, an organisation must ensure that suppliers / service providers are adequately assessed.
At Odyssey VC, we have received confirmation from the regulators that the organisation cannot accept third party certifications or evidence of third party audits by certification bodies in lieu of their own organisation’s assessment process, i.e., if your process requires a thorough audit of a critical supplier, e.g., a cloud provider which will host GxP data, then you must complete a thorough audit of that critical supplier (and you must confirm where your data is going).
As a user of the SaaS / IaaS, it is up to the organisation to ensure that the qualification and validation are appropriate for the intended use. This must be confirmed by the organisation and should include an assessment against 21 CFR Part 11 and EU V.4 Annex 11 to ensure compliance against the requirements for electronic records and electronic signatures.
For medical devices, it is also worth noting that the European Medical Device Regulations, EU 2017/745 & EU 2017/746, state that during the notified body’s assessment of an organisation, an audit on the organisations manufacturing premises may be required and, if appropriate, an audit of the premises of the organisation’s suppliers and/or subcontractors, i.e., the notified body may request (or demand!) to visit the premises of your IaaS / SaaS provider, including your outsourced data centre.
As a result, the organisation must ensure that any potential supplier does not obstruct / deny the audit request. Ensure that supplier agreements include confirmation of acceptance by the supplier to onsite audits by both your organisation and by your associated notified body, should the need arise.
In summary, regardless of if the supplier you are assessing is a provider of GxP-impacting digital solutions or a provider of a critical component of your manufacturing process, then the requirements of your organisations supplier management process must be met. If this process calls out for an audit, desk-based or on-site, then the organisation must complete this as part of the supplier assessment process. As mentioned above, confirmation of certification from external bodies, while beneficial during the selection process, are not deemed equivalent to an organisations own audit.
At Odyssey VC, we are happy to offer assistance with supplier assessment of digital solution providers.