CSA Approach Significantly Improves Platform Efficiencies

The Challenge

The customer was already using the Force.com platform for non-GxP processes, but two new business priorities required the platform to operate in a regulated GxP context:

• Qualify Force.com to enable the implementation and validation of a 3rd party complaint handling system to replace a legacy system.
• Build a custom sample management application to be rolled out to account managers nationwide.

Both use cases had to comply with 21 CFR Parts 11 and 203, raising the bar for data integrity, audit trails, and electronic records. The departments engaged spanned IT, Quality, and Informatics, and the platform itself first had to reach a qualifiable state before any GxP application could go live.

The Approach

USDM was hired to implement and validate the 3rd party complaint handling system and to develop and validate the custom sample management application. Because the Force.com platform also required qualification to support GxP processes, USDM applied a risk-based CSA methodology to establish and maintain the qualified state.

Establishing the qualified state

• Assessed the customer's data centers, network, security, quality systems and processes, training, audit trail, data retention processes, and change control systems and tools.
• Established the initial qualifiable state of the Force.com infrastructure.
• Created baseline configuration specifications for all GxP elements of the system, supporting 21 CFR Part 11 compliance.

Maintaining the qualified state with CSA

• Used a CSA methodology to ensure appropriate controls, including a Force.com audit, review of standard change controls, verification of communication and system administration processes, development of robust SLAs, and baseline configuration specifications.
• Managed Force.com releases by performing a detailed analysis of changes ahead of production release to ensure no adverse effects on existing functionality, including risk assessment, creation of new requirements, execution of new and regression testing protocols, and reporting.
• Helped create internal policies for change control and validation to support new functionality, including validation configuration processes and regular regression testing that could be reused for future cloud systems as part of an ongoing continuous compliance practice.

Delivering the applications

• Developed a mobile iOS application that synced with Force.com to support sample disbursements.
• Developed a best-in-class SDLC that all parties worked within and can be utilized with future cloud vendors.
• Developed critical SLAs for transparency and protection, and enabled the customer to utilize 3rd party assurance activities, saving time and money. This reliance on validated vendor evidence mirrors a strong third-party risk management posture.

The Results

By applying CSA methodologies to qualify the platform and validate both applications, USDM helped the customer retire a legacy system and gain significant efficiencies across the organization:

• Used CSA methodologies to drive meaningful GxP process efficiencies.
• 50% decrease in validation cost and time.
• Significantly reduced testing overhead.
• Developed a best-in-class SDLC that all parties worked within and can be utilized with future cloud vendors.
• Developed critical SLAs for transparency and protection.
• Utilized 3rd party assurance activities, saving time and money.

The result is a single, GxP-qualified platform that retired legacy systems and processes while establishing reusable validation, change control, and SDLC practices for future cloud deployments. To see how a CSA approach can do the same for your regulated systems, contact USDM.