IT environment

Figure 5

During the preselection IT assessment process, early identification of weaknesses and risks in the IT infrastructure, applications, or data-management areas enables the sponsor to avoid hidden costs and compliance failures.

The facilities that house the infrastructure components should be inspected to determine whether they are adequately secure. Security can be provided by physical locks, password- or code-enabled locks, identification-card readers, or biometric sensors. The sponsor should also look for physical elements that ensure the safe, continued operation of the equipment within the facility or data center. Fire-extinguishing systems, heating and air-conditioning systems, uninterruptable power supplies and power-conditioning units, battery backup, and power generators protect the equipment and the data or records they hold.

The CMO's networks provide the communications capabilities within the CMO's own organization and between the CMO and the sponsor. During the preselection assessment, the sponsor should ask the CMO candidate for an explanation of the networks and communications capabilities. This overview will help determine how the CMO approaches network design in the manufacturing, laboratory, and administrative or corporate areas. The sponsor should look for network design elements that provide the appropriate level of isolation, security, and performance for the functioning of the specific area. Isolated proprietary shop floor or laboratory networks are often used to protect the data and equipment or instrument controls from the day-to-day business or administrative operations and data. The CMO should have processes and controls in place for securing their internal network through user identification and passwords.

Firewalls should be in place to provide additional security between the CMO's internal IT environment and the outside world. The network components that provide data exchange between the CMO and the sponsor should have the capacity and speed the sponsor requires. If electronic data exchange is a critical concern and requirement for the sponsor, actual transmission tests can confirm the connectivity and transmission speed between the CMO and the sponsor.

The CMO should be able to pre-sent evidence to the sponsor that the network has been qualified accor-ding to industry good practices. The evidence should show that the CMO understands the current network configuration, knows that it is functioning properly, and has controls in place for the ongoing support and control of the network.

The CMO should be able to present evidence that its computer servers have been properly installed and qualified. The evidence should include an inventory of all servers, configuration information for each server (e.g., vendor, model, major components, processor model, amount of memory), amount and type of other internal server storage, operating system and utility software installed along with the version and patch level, communications addresses, and identification of any application software (version and patch level) installed on each server. Controls should be in place for the ongoing operation, support, and control of the servers.

If the CMO uses mass data-storage devices that are external to the computer servers, then it should show evidence that the data-storage devices were properly installed and qualified and that adequate strategies are in place for their ongoing operation, support, and control. Basic configuration information should be available.

Applications. During the preselection assessment, the sponsor should determine which business processes the CMO candidate performs with the assistance of computerized applications. The sponsor's quality unit can provide an initial determination of the applicability of federal good practices regulations (GXP) for the computerized applications. This determination will allow the sponsor to focus on systems that have high GXP visibility. Regulatory inspectors tend to focus on systems that:

• Have a direct effect on product safety, purity, or efficacy (e.g., manufacturing-recipe systems, materials management, inventory tracking, and systems that provide required procedures)
• Have an effect on the patient (e.g., systems that directly affect the product such as labeling and packaging systems and automated inspection and materials-handling systems)
• Directly affect the creation, maintenance, or retention of critical records (e.g., manufacturing-batch records, quality-control records for raw materials and finished products, and product-distribution records).

Table I: Documentation that shows an application has been validated.

In addition to investigating the compliance of the CMO's GXP-related applications, the sponsor should use the preselection assessment as an opportunity to identify the application systems that support the CMO candidates' business operations such as procurement, financials (e.g., accounts payable and accounts receivable), human resources (e.g., hiring, training, and termination), document management, production and capacity planning, equipment inventory and asset management, corrective and preventive action (CAPA), deviation tracking, project management, management of customer change orders, and desktop operations. Compiling a list of the CMO candidates' applications and their installed version of the application enables the sponsor to evaluate the compatibility of its own applications with those of the CMO candidates. If sponsor applications are different from those of the CMO candidates, then the sponsor's IT support staff can advise the sponsor about the efforts and costs that will be required to establish application compatibility, create a custom interface to a CMO system, or implement a manual solution for the incompatibility problems. Having this information before selecting the CMO will help to develop an accurate cost estimate for doing business with the particular CMO candidate.

Data and records. A crucial element of the preselection assessment is the determination of how the CMO proposes to produce, store, and transfer critical manufacturing records (i.e., actual manufacturing-batch records), regulatory data (e.g., lot and batch traceability, certificates of analysis for raw materials and sponsor product), and data or records that may be critical for the sponsor's business (e.g., finished-product inventory, locations, and QC status) (see Figure 6). These data and records flow from the CMO to the sponsor.

Figure 6

The sponsor should identify whether the CMO candidate will create paper-based records or electronic records and which records will be available to the sponsor. For example, the CMO may produce a paper-based manufacturing-batch record or an EBR. If the CMO can only provide paper records, the sponsor must determine whether the records will suit the sponsor's business processes. If they will not, the sponsor must identify alternative solutions and the costs for converting the paper record into an electronic format. If the manufacturing-batch record is only available in paper form, then the sponsor can estimate the cost of scanning the paper record into an PDF-file format and programming a function to link searchable metadata to that PDF file. This estimate is valuable information to have when the sponsor is ready to negotiate the SLA-based contract with the selected CMO. This exercise can be done for each type of critical record.

The final item of note in Figure 6 is the two-way flow of data and information between the CMO's and the sponsor's IT systems. The sponsor should look for compatibility between the CMO's and the sponsor's systems. Compatibility can be facilitated when the CMO uses systems that are based on open-standards products such as UNIX operating systems and SQL-compliant databases or products that have the flexibility to produce output in different standard file formats (e.g., ASCII format and PDF format).

Some additional items should be explored during the preselection assessment of the CMO candidate's IT environment. The CMO should provide the sponsor with an overview of how it can provide data and record security. At a minimum, the CMO should address the following areas:

• How the sponsor's proprietary information, data, and records will be stored
• How sponsor data will be kept separate when more than one sponsor database resides on the same server
• What security measures are in place to ensure that only authorized individuals will be able to access the sponsor's data and records
• The process for backup and recovery of the sponsor's data and records
• How the CMO will ensure the ongoing business continuity of its IT systems and the sponsor's data and records.

IT processes and controls

During the preselection assessment, the sponsor can interview key CMO IT personnel. It is recommended that the sponsor interview a diverse sample of representatives in the CMO's IT department (e.g., IT application manager, computer-room operator, network engineer, programmer, technical engineer, and help-desk and support personnel). The interviews should yield an overall impression of the processes, practices, standards, and procedures that exist within the CMO candidate's IT area. A complete review of all IT processes is not practical at this point of the CMO selection process, but the sponsor should look for indicators of the following good practices:

• Documentation of a service-delivery methodology. The International Organization for Standardization has developed several standards such as ISO 20000 that provide guidance in this area. The IT Infrastructure Library is also a guidance system for the development and delivery of IT services and infrastructure (3, 4).
• Implementation of a quality-management system (QMS). Evidence of this may include a quality manual and quality policy. ISO 9001 and Control Objective for Information and Related Technologies provide guidance for establishment of a QMS (5, 6).
• Commitment to continuous improvement. This commitment may be demonstrated by a simple SOP or may be an elaborate Six Sigma program.
• Documentation of security practices and proof that the procedures are followed. Evidence includes new account requests and their approval, network designs that include firewalls, automatic password expiration for desktop users, and account deactivation. The ISO 27000 series provides standards and guidance on IT security.
• Establishment and testing of business-continuity and disaster-recovery plans.
• Documentation of records-retention policy and procedures for paper and electronic records and proof that the process is being followed.
• Documentation of procedures for change control and configuration management. This criterion is especially important when the CMO is providing services to several sponsors. Operational records should indicate strict adherence with these procedures.

Good project-management practices are key to the successful development, implementation, delivery, and maintenance of systems or services. During the preselection assessment, the sponsor should look for evidence of good project-management practices such as clear definition of roles and responsibilities and clear identification of deliverables, milestones, and dependencies. Metrics for tracking progress, cost, and resource utilization should be clearly defined and appropriate. Reporting mechanisms should be efficient and timely. These project-management practices can be successfully applied to all areas of the CMO's operations.