Operational software compliance in pharma: a practical guide

Compliance during the operational phase requires the involvement of multiple stakeholders, each with specific roles in ensuring regulatory adherence and risk mitigation. Below is a structured process to execute compliance tasks:

Tasks that may arise during the operational phase can be categorized based on their impact:

• Recurrent Tasks: These tasks have a defined impact and are guided by the compliance framework. They can be outsourced with clear internal guidelines and monitoring.

• Tasks Requiring Impact Assessment: More complex tasks that need individual assessment are less suitable for outsourcing and require in-depth monitoring.

Examples of each category include:

• Recurrent Tasks: IQ/OQ/PQ, test execution, project closure, summary reports, traceability matrix, periodic review, system monitoring.

• Tasks Requiring Impact Analysis: Change management, incident management.

Effective operational software compliance often requires coordination between the system owner (client) and the service provider.

Points of contact on both sides must be well-informed of requirements and engage in regular follow-up meetings (e.g., weekly) to oversee tasks and address needs. Clear communication channels should be established to support technical queries and collaboration.

• Client Responsibilities:
  • Provide guidelines or procedures, necessary training, and system access (e.g., task tracking systems like JIRA).
  • Define expected time commitments, due dates, and task priorities.
• Service Provider Responsibilities:
  • Ensure team members are trained, provide feedback, and address any concerns during task execution.
  • Deliver feedback on task timelines, guideline content, and any additional questions or issues at the start of each task.

The better structured and documented the tasks are, the easier and more successful the outsourcing process will be. Communication channels and documentation of execution levels (e.g., remote or on-site testing) support efficiency in compliance management.

Although regular meetings are held between points of contact, there must be a communication channel that allows for technical queries to be made by the teams on both sides.

The tests and evidence required for task execution can be conducted at different levels:

• Global systems / systems with remote access: the tester (service provider team) accesses the system remotely and performs the tests, capturing the evidence during the execution.

• Systems without remote access and too complex to grant access: subject matter experts take evidence, and the service provider team documents the execution.

• Systems without remote access but accessible on-site: Accessing the client's facilities to execute and collect the required evidence. Documentation of the execution can be done both on-site and remotely.

Once the task is completed and delivered, the level of review by the client should depend on the complexity of the tasks and the experience of the service provider’s team. Monitoring of KPIs will help to identify process improvement needs.