Validation Considerations for Mobile Devices

The rapid advent of wirelessly networked mobile devices such as tablets and cell phones into FDA regulated business processes has created significant challenges for the legacy based IT platform qualification and validation regimens. These known-state validation frameworks were defined during the prevalence of dedicated single purpose backend IT resources, coupled with traditional PC based user interfaces.

The evolution of IT infrastructures to virtual cloud processing, accessed through consumer devices controlled by highly proprietary vendor OS and application frameworks, means GxP life sciences qualification frameworks must cope with a dynamic state-less environment which challenges the very principles of the regulatory IT framework.

In the rush to adopt these technologies, many life sciences firms have implemented these mobile device interfaces without proper assessment of the impacts of their integration on existing validated applications. The result is a compliance gap where topics such as data security, authentication, functional equivalency and device management and support are questionable. A memorable recent example involved a major medical device manufacturer who incorporated iPads into their field service application. As USDM Life Sciences explored the scope of the retrospective validation, despite numerous USDM inquiries concerning the role of the iPad, it was represented by the business, QA and IT that the iPad only utilized the browser to access the web-based application, and USDM’s concerns about the need to validate the application on that platform was “duplicative”. However, upon finally obtaining a sample iPad for verification, USDM discovered that indeed there was a customized vendor native iPad application being used (in addition to the browser). This added an entire new dimension to the validation scope late in the validation project. Had this not been investigated and discovered, a major source of the application’s fundamental business data would have gone unvalidated, causing potentially negative findings on an audit.

Life sciences firms are urged to be wary of the facile explanations of vendors of the equivalence of these new mobile based platforms, browsers and custom applications to the legacy validated PC-based versions as the basis for lax qualification testing and validation of these platforms. It is essential that the following activities occur:

• Formal assessments of the impact of these devices when deployed with legacy validated applications
• Inclusion of knowledgeable business, QA and validation personnel in the process of the assessments of new device impacts
• Provision of policies and procedures for the management of these devices and their software, including change control and account management
• Careful consideration of the implication of allowing non-company owned mobile devices to access regulated applications without augmentation with Mobile Device Management tools
• Recognition that mobile browsers and custom applications mimicking legacy PC interfaces are not equivalent entities, and require qualification and validation based verifications against the requirements.

Proper due diligence up front prior to deployment can avoid nasty surprises later during the inevitable audits to follow. USDM’s expertise in rapidly and cost effectively assessing and addressing the validation challenges posed by the introduction of ground-breaking mobile devices to legacy or new GxP regulated applications can save firms time, money and embarrassment.