Vendor Audit - Focus on Cloud, Software-as-a-Service (SaaS), and Other Technologies used for FDA-Regulated Activities

We will discuss the importance of applying industry best practices when auditing a vendor of hardware, software, or other technology, or a provider of technology services, such as system implementation, system configuration, system development, system integration or similar activity

Computer systems that are used in FDA-regulated environments (i.e., the system “touches” an FDA-regulated product, or a raw material or packaging component used in conjunction with the product during the manufacturing, testing or tracking processes). Such a system must be validated in accordance with FDA guidelines for computerized systems and documented accordingly.

It is important to be able to identify computer systems used when performing FDA-regulated activities. When a vendor is involved, whether in terms of provisioning hardware and/or software, implementing the system or maintaining it, this must be done in compliance with FDA requirements. A solid computer system validation strategy, along with an understanding of industry best practices, will lead your company to ensure that vendors are held accountable for delivery of systems and services that will support your efforts to validate computer systems and maintain them in a validated state.

This webinar will also provide guidance on the importance of factoring risk into all FDA-regulated activities, and will help you assess the risk of any computer products purchased from third-party vendors. You will also learn how to develop a standard audit process, using templates and checklists, to ease the burden of this activity. Documentation is critical to proving that a system does what it purports to do, and that a company has thoroughly scrutinized and effectively leveraged any third-party vendor that is involved in these efforts.

We will cover Computer Off-the-Shelf (COTS) software applications, cloud computing, and Software-as-a-Service (SaaS). We’ll discuss the traditional approach to Computer Software Validation (CSV), and contrast it with FDA’s recent draft guidance (September 2022) on Computer Software Assurance (CSA). CSA focuses on critical thinking and a risk-based approach. It also lends itself well to automated testing, and is aligned closely with GAMP®5, Second Edition.

Overall, we’ll discuss the industry best practices and note the pitfalls to avoid when validating systems regulated by FDA.

Why should you Attend: You should attend this webinar if you are responsible for implementing, validating, using or managing an FDA-regulated system in a validated state, and hardware and software components are from vendors providing cloud services and/or SaaS solutions. There are key items that should be covered with such vendors when developing the contract and SLA with them. Auditing them in advance also provides insight as to what areas the vendor is weakest or requires more controls in place to satisfy and audit.

Know what questions to ask the vendor, including during the audit and when the contract and SLA are to be drawn up. This is the time to protect your operations, data, and documents, particularly if these are held in cloud storage.

Understand how the vendor operates and the processes, procedures, policies, and practices that are followed. We’ll discuss how to know if a vendor has a mature and robust quality management system for code development and change control. We’ll also talk about ongoing vendor support.

Areas Covered in the Session:

• Developing a strategic approach to vendor audit
• Understanding best industry audit practices to ensure FDA compliance
• Identifying the key areas of vendor performance that are necessary to ensure they will meet your compliance requirements
• Knowing the right questions to ask about an array of key areas that could have an impact on security and validation
• Understanding how to investigate 21 CFR Part 11 (electronic records/electronic signatures) compliance
• Understanding how a vendor will provide the customer service and support required to run your critical business operations
• Identifying the procedural controls needed to support areas where there may be technical control gaps or weaknesses
• Determining how to monitor the vendor over time, performing audits through questionnaires or on-site visits
• Understanding ways to leverage your vendor’s experience and expertise to assist with Installation Qualification and Operational Qualification
• Understand how to assess a vendor’s ability to provide custom code, testing assistance, and training to your team
• Learn how to carefully document all activities related to your vendor to ensure compliance
• Q&A

• Information Technology (IT) Analysts
• IT Developers
• IT Support Staff
• IT Security Staff
• QC/QA Managers and Analysts
• Production Managers and Supervisors
• Supply Chain Managers and Supervisors
• Clinical Data Managers and Scientists
• Compliance Managers and Auditors
• Lab Managers and Analysts
• Computer System Validation Specialists
• GMP, GLP, GCP Training Specialists
• Business Stakeholders using Computer Systems regulated by FDA
• Regulatory Affairs Personnel
• Consultants in the Life Sciences and Tobacco Industries
• Interns working at the companies listed above
• College students attending schools and studying computer system validation, regulatory affairs/matters (related to FDA) or any other discipline that involves adherence to FDA regulatory requirements