SOP s for Managing Application Services Providers Ivan Soto
Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed Service providers Roles and Responsibilities Governance, monitoring i and oversight Service Level considerations Inspection Readiness Case Study: Promotional Materials System Implementation 2
Types of Managed Services Our Way Is the Way Keep process ownership, execute with supplier s people May be onsite or supplier s site (InSourcing, Offshoring) Go Away Hand everything to supplier to manage on your behalf Supplier owns processes over time (Outsourcing) Do It Their Way Move to supplier s standard processes and environment Processes common across multiple companies (SaaS) 3
Outsourcing Process Phase 1: Business Case Benefit & Risk Analysis Phase 2: Specification and Selection Baseline Specification Selection Contract Phase 3: Implementation Planning Implementation Transition Phase 4: Monitor Service Level and Contract Management Phase 5: Change Change Management Exit Management 4
Business Case Benefits Analysis Focus should be on core, value adding business activities Cost optimization Improved service portfolio and performance management Simplified organization Improved quality standards 5
Business Case Risk Analysis Misalignment of business objectives quality vs cost vs volume Cost optimization Loss of control and visibility of regulated services Loss of intellectual property control Improved quality standards 6
Specification and Selection Baseline Assessment Regulatory impact of application and assets and services to be outsourced Current quality status Current documentation and records management practices Process map for outsourced activities with associated roles and responsibilities Can be used for SLA Identify support gaps Aids identifying hidden cost 7
Specification and Selection Supplier Selection Considerations Cost, technical response, responsiveness, quality approach Experiences of other organizations with the supplier Supplier audit 8
Implementation Transition to outsource company When services, assets and applications will be migrated When resources will transition to the outsource organization When processes and procedures will transition Service disruption management Knowledge transfer 9
Governance Business management Contract management Service and Quality management Customer and supplier relationship management 10
Monitor Audits Compliance with processed and standards Performance Reporting Cost, quality and service volume metrics 11
Contract Change & Exit Management Evaluating needs for additional or reduction of services Service Level Agreements 12
Quality Expectations for Service Providers Documented processes and controls in place Training of the processes and controls to those that are expected to implement them Qualification of the individuals that are implementing the processes and controls Documented evidence of successful execution of the processes and controls Metrics, monitoring i and evaluation of the execution of the processes and controls 13
Quality Expectations for Service Providers (cont.) Quality Management Systems Service Delivery Application i Support Design Procurement H/W & S/W Deployment Validation/Qualification Backup, Restore Archive Security Asset Management Configuration Management Platform Maintenance Internet/Intranet Services 14
Quality Expectations for Service Providers (cont.) Quality Management Systems Service Management Help Desk Demand Management Service Specification Prioritization and Planning 15
SOP s for Service Providers SOP s will vary depending on the type of managed services SOP s should address the following: System impact assessments on patient safety, product quality, and data integrity Roles and Responsibilities Life cycle approach Risk management System Specifications Validation and Qualification System Operation and Maintenance Record and Data Management Security Management 16
SOP s for Service Providers SOP s will vary depending on the type of managed services SOP s should address the following: System impact assessments on patient safety, product quality, and data integrity Roles and Responsibilities Life cycle approach Risk management System Specifications Validation and Qualification System Operation and Maintenance Record and Data Management Security Management Change and Configuration Management 17
SOP s for Service Providers 18
Roles and Responsibilities The responsibility for data integrity ultimately remains with the regulated company Roles and responsibilities must be defined and clear to both parties The regulated company may leverage supplier knowledge, services and artifacts The supplier is accountable for the quality delivery of its services The regulated company is accountable for determining the ongoing suitability of services that are leveraged 19
Governance, Monitoring, and Oversight Identification of sensitive or critical business data Audits (frequency, focus) Access provisioning and roster reviews Privileged Access Audit trails Business Continuity / Disaster Recovery Service Level measurements 20
Service Level Considerations Availability and performance Change management Quality of service Security Business continuity it / Backup and Recovery Personnel Qualification 21
Inspection Readiness Document Management Record Retention Record Retrieval Clear response time expectations 22
Case Study: Promotional Material System Ivan Soto
Background Hosted application implemented and managed by the vendor Application allows users to plan, discuss, agree concepts and track promotional materials Vendor works with more than 100 companies and over 25,000 users across the life sciences industry 24
Implementation Approach Following our internal procedures we performed the following activities: Initial Regulatory Assessment Part 11 Assessment Risk Assessment Supplier Assessment 25
Implementation Approach (cont.) Initial Regulatory Assessment: Based on GxP requirements Identifies GxP applicability Identifies applicable regulatory requirements Identifies systems that require validation Identifies the need to implement procedure controls (SOP ) 26
Implementation Approach (cont.) Part 11Assessment: Identifies applicable Part 11 requirements Close or Open System E-signatures requirements Electronic records requirements Hybrid or fully electronic system 27
Implementation Approach (cont.) Risk Assessment: Identifies whether the application is High, Medium or low risk Validation effort is based on the risk level Procedure controls are based on risk level 28
Implementation Approach (cont.) Supplier Assessment: Suppliers QMS System Development Life Cycle Design Controls Security & Data Integrity (Cloud Environments) 29
Implementation Approach Assessment Results: GxP impact Low risk Vendor met supplier assessment criteria 30
Implementation Approach Leverage vendor created validation documents Perform User Acceptance Testing No on-site vendor audit Leverage vendor SOP s Create SOP s for user access, software administration and business process 31
Implementation Approach Vendors SOP s: Business Continuity Client charter Code of Conduct Complaints Procedure Contract t- Software Licensing i Agreement Employee Confidentiality Agreement Employee Training Records Risk Management SOP Approval Process Training SOP Network / Server access Procedure IT Security Policy Internal System Inventory Hardware asset records Security Incident Management Data Backup Plan Intrusion Detection Policy User Registration and Privilege Policy Development SDLC policy Development SDLC template documents Development tchange Control policy Security / Vulnerability Identification Procedure CFR Part 11 Compliance 32
Summary Cloud Technical Overview Security & Data Integrity Change Management Risk Based Validation Approach Periodic Review and Assessment 33
Summary During this session, we covered the following concepts: Types of Managed Services Outsourcing process Quality expectations for Managed Service providers Roles and Responsibilities Governance, monitoring and oversight Service Level considerations Inspection Readiness Case Study: Promotional Materials System Implementation 34
Questions? 35