21. Validation and Outsourced IT Services

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. Computerized systems used for GXP purposes require validation whether internal or external to the company… (p.160)


The first thought about “outsourced IT services” is often that of third party data centers providing off site systems and infrastructure to client companies.  Initially this began as providing locked floor space or rack space for clients to install and remotely manage their own equipment to gain benefit from the expanded communications capacity and disaster recovery capabilities of the provider.  In parallel, clients could also use systems supplied and managed by the provider.

Fifteen years ago there was a steep learning curve for third party data centers to understand the special needs of GXP regulated clients. Initial due diligence audits would find general quality statements, but little in the way of formal quality management systems with documented standard procedures for actions taken during installation, operation, and configuration management of systems and infrastructure in the data center. Emphasis on physical security was always strong, but internal operational practices, employee training, and employee system access were often less well controlled and documented.  Disaster recovery was focused on power outages and seldom tested reinstalling critical systems and infrastructure. They rarely had external security and intrusion testing performed on the firewalls and communications. Today some of these same issues can still be seen in new entrants to the third party data center business and in the move to cloud technology services.

Today there is another whole generation of “outsourced IT services” for GXP regulated companies.  These include all the many third party suppliers of product services and data services that are in turn using outsourced data centers themselves on your behalf. You must keep your eye on the life cycle for GXP data that you are contracting to receive from any supplier. In your contract with that supplier you must address the quality, security, and chain of custody of that GXP data from its first creation to its final destination on receipt by your organization. Your tools for this are the contract itself and due diligence audits of your supplier, their internal IT data center, and any outsourced data center. Any use of cloud technology also needs to be defined and agreed by contract.

Your audits should find installation qualification records and software validation packages for any systems used on your behalf that you know you would need validation if they were your own. A strong Quality Management System (QMS) with expected standard operating procedures (SOPs) and tested Disaster Recovery plans are essential. Such “due diligence” audits must be performed before serious contract negotiations proceed if their full value is to be achieved. Issues arising from the audit can then be addressed in the contract phase, including a decision to look for a more suitable vendor.


Next Month: Due Diligence Auditing of IT Services

A Certificate signed by the Lead Auditor can be used to verify that an audit did occur on a stated date for an identified auditee and the certificate is shown during audits and inspections as evidence that the audit took place. (p.270)