Learning Objectives
Learning Objectives
At the end of this session we will have covered:
Types of Managed Services
Outsourcing processOutsourcing process
Quality expectations for Managed Service providers
Roles and ResponsibilitiesG it i d i ht
Governance, monitoring and oversight
Service Level considerations
Inspection Readiness
Case Study: Promotional Materials System ImplementationTypes of Managed Services
Types of Managed Services
•
“
Our Way Is the Way”
•
Keep process ownership, execute with supplier’s people
•
May be onsite or supplier’s site (InSourcing, Offshoring)
•
“Go Away”
•
Hand everything to supplier to manage on your behalf
•
Supplier owns processes over time (Outsourcing)
•
“Do It Their Way”
•
Move to supplier’s standard processes and environment
Outsourcing Process
Outsourcing Process
Change Management Exit Management Phase 5: ChangeService Level and Contract Management Phase 4: Monitor Planning Implementation Phase 3: Implementation Baseline Specification Phase 2: Specification and Selection
Business Case
Business Case
•
Benefits Analysis
•
Benefits Analysis
• Focus should be on core, value adding business activities
• Cost optimizationCost optimization
• Improved service portfolio and performance management
• Simplified organization
Business Case
Business Case
•
Risk Analysis
•
Risk Analysis
• Misalignment of business objectives – quality vs cost vs volume
• Cost optimizationCost optimization
• Loss of control and visibility of regulated services
• Loss of intellectual property control
• Improved quality standards
Specification and Selection
Specification and Selection
•
Baseline Assessment
•
Baseline Assessment
• Regulatory impact of application and assets and services to be outsourced
• Current quality status
• Current documentation and records management practices
• Process map for outsourced activities with associated roles and responsibilities
• Can be used for SLACan be used for SLA
• Identify support gaps
Specification and Selection
Specification and Selection
•
Supplier Selection Considerations
•
Supplier Selection Considerations
• Cost, technical response, responsiveness, quality approach
• Experiences of other organizations with the supplierExperiences of other organizations with the supplier
• Supplier audit
Implementation
Implementation
•
Transition to outsource company
Transition to outsource company
• When services, assets and applications will be migrated
• When resources will transition to the outsource organization
• When processes and procedures will transition
• Service disruption management
Governance
Governance
•
Business management
Business management
•
Contract management
•
Service and Quality management
•
Customer and supplier relationship management
Monitor
Monitor
•
Audits
Audits
• Compliance with processed and standards
P f
R
ti
•
Performance Reporting
Contract Change & Exit Management
Contract Change & Exit Management
•
Evaluating needs for additional or reduction of
Evaluating needs for additional or reduction of
services
•
Service Level Agreements
Quality Expectations for Service
Quality Expectations for Service
Providers
Providers
Providers
Providers
•
Documented processes and controls in place
•
Training of the processes and controls to those that are
•
Training of the processes and controls to those that are
expected to implement them
•
Qualification of the individuals that are implementing the
•
Qualification of the individuals that are implementing the
processes and controls
D
t d
id
f
f l
ti
f th
•
Documented evidence of successful execution of the
processes and controls
M t i
it i
d
l
ti
f th
ti
f
Quality Expectations for Service
Quality Expectations for Service
Providers (cont.)
Providers (cont.)
Providers (cont.)
Providers (cont.)
• Quality Management Systems
Quality Expectations for Service
Quality Expectations for Service
Providers (cont.)
Providers (cont.)
Providers (cont.)
Providers (cont.)
• Quality Management Systems
• Service Management
• Help Desk
• Demand Management
• Service Specification
SOP’s for Service Providers
SOP’s for Service Providers
• SOP’s will vary depending on the type of managed servicesSOP s will vary depending on the type of managed services
• SOP’s should address the following:
• System impact assessments on patient safety, product quality, and data integrityy p p y, p q y, g y
• Roles and Responsibilities
• Life cycle approach
• Risk management
• Risk management
• System Specifications
• Validation and Qualification
• System Operation and Maintenance
• Record and Data Management
• Security Managementy g
SOP’s for Service Providers
SOP’s for Service Providers
• SOP’s will vary depending on the type of managed servicesSOP s will vary depending on the type of managed services
• SOP’s should address the following:
• System impact assessments on patient safety, product quality, and data integrityy p p y, p q y, g y
• Roles and Responsibilities
• Life cycle approach
• Risk management
• Risk management
• System Specifications
• Validation and Qualification
• System Operation and Maintenance
• Record and Data Management
• Security Managementy g
SOP’s for Service Providers
SOP’s for Service Providers
Roles and Responsibilities
Roles and Responsibilities
•
The responsibility for data integrity ultimately remains with
•
The responsibility for data integrity ultimately remains with
the regulated company
•
Roles and responsibilities must be defined and clear to both
•
Roles and responsibilities must be defined and clear to both
parties
•
The regulated company may leverage supplier knowledge
•
The regulated company may leverage supplier knowledge,
services and artifacts
•
The supplier is accountable for the quality delivery of its
•
The supplier is accountable for the quality delivery of its
services
Governance, Monitoring, and
Governance, Monitoring, and
Oversight
Oversight
Oversight
Oversight
•
Identification of sensitive or critical business data
A dit (f
f
)
•
Audits (frequency, focus)
•
Access provisioning and roster reviews
•
Privileged Access
•
Audit trails
•
Audit trails
•
Business Continuity / Disaster Recovery
•
Service Level measurements
Service Level Considerations
•
Availability and performance
•
Availability and performance
•
Change management
g
g
•
Quality of service
•
Security
B
i
ti
it / B
k
d R
•
Business continuity / Backup and Recovery
Inspection Readiness
•
Document Management
•
Document Management
•
Record Retention
•
Record Retrieval
•
Clear response time expectations
Background
H
t d
li
ti
i
l
t d
d
d b
•
Hosted application implemented and managed by
the vendor
•
Application allows users to plan, discuss, agree
concepts and track promotional materials
•
Vendor works with more than 100 companies and
over 25,000 users across the life sciences industry
Implementation Approach
F ll
i
i t
l
d
f
d
•
Following our internal procedures we performed
the following activities:
Initial Regulatory Assessment
•
Initial Regulatory Assessment
•
Part 11 Assessment
•
Risk Assessment
Risk Assessment
Implementation Approach (cont.)
I iti l R
l t
A
t
•
Initial Regulatory Assessment:
•
Based on GxP requirements
Identifies GxP applicability
•
Identifies GxP applicability
•
Identifies applicable regulatory requirements
•
Identifies systems that require validation
Identifies systems that require validation
•
Identifies the need to implement procedure controls
(SOP’)
Implementation Approach (cont.)
P t 11 A
t
•
Part 11 Assessment:
•
Identifies applicable Part 11 requirements
• Close or Open System
• Close or Open System
• E-signatures requirements
• Electronic records requirements
Implementation Approach (cont.)
Ri k A
t
•
Risk Assessment:
•
Identifies whether the application is High, Medium or
low risk
low risk
•
Validation effort is based on the risk level
•
Procedure controls are based on risk level
Implementation Approach (cont.)
S
li
A
t
•
Supplier Assessment:
•
Suppliers QMS
System Development Life Cycle
•
System Development Life Cycle
•
Design Controls
Implementation Approach
A
t R
lt
•
Assessment Results:
•
GxP impact
Low risk
•
Low risk
•
Vendor met supplier assessment criteria
Implementation Approach
L
d
t d
lid ti
d
t
•
Leverage vendor created validation documents
•
Perform User Acceptance Testing
•
No on-site vendor audit
•
Leverage vendor SOP’s
•
Create SOP’s for user access, software
Implementation Approach
Vendors SOP’s: • Vendors SOP s: • Business Continuity • Client charter • Code of Conduct • Complaints Procedure C t t S ft Li i A t• Contract - Software Licensing Agreement
• Employee Confidentiality Agreement
• Employee Training Records
• Risk Management
• SOP Approval Process
• Training SOPTraining SOP
• Network / Server access Procedure
• IT Security Policy
• Internal System Inventory
• Hardware asset records
• Security Incident Management
• Data Backup Plan
• Intrusion Detection Policy
• User Registration and Privilege Policy
• Development SDLC policy
• Development SDLC template documents D l t Ch C t l li
• Development Change Control policy
• Security / Vulnerability Identification Procedure
• CFR Part 11 Compliance
•
Summary
Cl
d T
h i
l O
i
•
Cloud Technical Overview
•
Security & Data Integrity
•
Change Management
•
Risk Based Validation Approach
Summary
D i
thi
i
d th f ll
i
•
During this session, we covered the following
concepts:
• Types of Managed Services
• Types of Managed Services
• Outsourcing process
• Quality expectations for Managed Service providers
• Roles and Responsibilities
• Governance, monitoring and oversight
• Service Level considerations
• Service Level considerations
• Inspection Readiness
• Case Study: Promotional Materials System Implementation
