Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)


Service Level Agreements (SLAs) are used by many industries to define the roles, responsibilities and reparations governing participant actions and deliverables in business relationships. When properly designed, SLAs include responsibilities and success criteria for all participants in the related business service. Such an agreement should meet the well-defined needs of the customer as well as those of the vendor and should provide clear lines of communication and recourse to all participants for issues arising.

In the IT hosting world, vendors are usually ready and able to define their business needs in an SLA, but customers often don’t describe their QA needs in as much detail as their IT uptime needs. On many occasions the IT business contract is signed before the QA audit is performed and the IQ/QA needs are defined. There is little room for negotiating IQ/QA support after the options window has been closed with a signed contract. Then it becomes add on costs for each IQ/QA item requested. This can happen with computer resources at Contract Research Organizations (CROs) and at contract manufacturers as well as at hosting and cloud data centers.

For FDA regulated companies, it is important the their internal IT and QA organizations collaborate in developing “boiler plate” wording for use by the Purchasing and Contracts functions to prepare requests for proposal (RFPs) and IT service contracts that address the need for compliance to FDA 21 CFR Part 11 and EU GMP Annex 11 regulations as well as HIPAA security and the Safe Harbor Principles. The Platform Requirements Specifications (PRS) for a GXP regulated application should be quite specific for how it is affected by these regulations and how end users as well as IT staff will provide compliance support in their respective work process activities, e.g., no sharing of passwords, consent forms for use of protected health information (PHI), restricted system admin privileges, encrypted communications.

Configuration description, change control, maintenance, and problem resolution logs and records are particularly important for the platforms of regulated applications. While sometimes this documentation can be a challenge for internal IT departments to maintain, it becomes a virtual black hole in most third party vendor data centers. Online tracking systems may be used at vendor sites, but they are configured for the business practices of the supplier, not the IQ reporting needs of the customer. You need to work with your vendor to see what initial and ongoing logs or reports they can send you for the operation of your platform to its PRS needs. A monthly IQ report is ideal, but a quarterly IQ report could also be useful for showing “due diligence” management control of the regulated platform system. Such configuration management reports are what needs to be negotiated as part of the SLA contract discussions with third parties.


Next Month: Performance Qualification (PQ) Package – Service Level Agreements (SLAs)

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)