Sorry, you need to enable JavaScript to visit this website.

IT Compliance in Biopharma

IT Compliance in Biopharma
June 26, 2020

Co-authored by:Nidhi Bajpai


Change management is a regular feature of IT operations, as several standard and emergency changes do happen in the production environment.  So, it is essential to implement a compliance process to ensure quality change management within stipulated timelines. Most of the organizations manage compliance along with quality, leading to a shift toward an internal, independent team that monitors compliance for all change management procedures. This team is responsible for monitoring internal audit processes such as the periodic review of applications, various types of documentation in line with good documentation practices (GDP), setting up compliance goals, policies, procedural adherence, designing training programs, and assessment of compliance activities and reporting.  

IT Compliance Space in Biopharmaceuticals

IT compliance activity is a key feature in the life sciences industry, and they work in tandem with the quality management team.  Good practices (GxP) process is an essential requirement of the industry from execution to automation.  GxP processes are those good practices that can be adapted in every business flow.  They are key to manufacturing, laboratory, research, and other systems that are directly connected with key activities.  Every GxP qualified systems will undergo periodic quality assessment for compliance.  The following are the brief activities of an IT compliance team. 

IT compliance is a crucial feature in the life sciences industry, which works in tandem with quality management.

Risk Assessment

Risk assessment forms the basis for compliance activities.  Risk assessment deals with the inherent risks involved within a system.  For example, when an organization uses a quality management system in cloud, they put essential risk assessment procedures in place and review the system periodically for its performance, data integrity, audit trail assessment, and other security features.  These systems are reviewed, analyzed, and assessed periodically.  These findings are maintained in a quality management tool for any exceptions, deviations and to take necessary corrective actions and preventive actions (CAPA).  The application is similar to product life cycle application tools.

Computer System Validation and Periodic Review of Systems (CSV)

Risk assessment includes application integrity as most of the applications are on cloud.  So, the activity begins with the identification of systems on-cloud, on premise, and SaaS.  Again, these applications are classified into GxP and Non-GxP systems. Compliance processes are transparent and stringent, especially for GxP systems like Good Manufacturing practice (GMP), Good Clinical practice (GCP), Good Laboratory practice (GLP) and others.

SOC-2 audit is one of the emerging procedures.  It is now mandatory for those organizations that deliver a product or service on the cloud.  They will undergo a biannual audit and would be shared with the end-users.  The compliance team will set up a procedure to review those audit reports for its GxP systems periodically.  These findings would be shared with the providers for any clarification and further improvements. 

GxP Process

GxP means any good practices.  Manufacturing processes that inculcate some good manufacturing procedures and validated nodal agencies like US FDA, WHO, and other global bodies are said to be a GxP process.  All these activities are now electronic and hence quality and compliance teams have to audit these systems for validity and adherence to the prescribed standards. 

Examples of GxP systems in a Life Sciences Organization include:

  1. GMP – Good manufacturing practice
  2. GDP – Good documentation practice
  3. GAMP – Good automated manufacturing practice
  4. GCP – Good clinical practice
  5. GLP – Good laboratory practice
  6. GPvP – Good pharma co-vigilance practice
  7. GRP – Good research practice

Following is the example of GxP process during change management in Life Science’s IT space.  A system that is related to a clinical data management is required to upgrade to the newer version.  There are about 15 CIs involved in the change.  So, a technical resource should follow the standard good practices while executing a change

  1. Accept and acknowledge the activity in the change management tools within the SLA
  2. Analyze the present ‘as is’ and the target ‘to be’ changes
  3. Take a back-up of the ‘as is’ system including data back-up with screenshots
  4. Perform the upgrade, step by step, and catch the evidence in the screenshot as per GDP
  5. Complete the change and capture the final step
  6. Attach all the evidence in the tool
  7. Forward the same to IT quality for review
  8. IT quality approves or reject the changes
  9. Migrate the same to the production environment once it is finally approved

The above mentioned practices are standard and sometimes these changes involve test management after the initial change.  From the compliance point of view, there should be clear guidance on the environments to be used in the change process. 

System Qualification

The important compliance metrics is the system qualification.  They are

  1. Installation qualification
  2. Operational qualification
  3. Performance qualification

Installation Qualification (IQ)

Various global agencies had put strict guidelines to use computerized systems to qualify certain standards.  Now, most of these systems are on-cloud and replacing on premise installations.  It is now important to provide policy guidelines for the installation procedures.    

Checklists for an IQ:

  1. Locational check
  2. Environmental conditions and security aspects
  3. Packing list/version details of the database
  4. Software installation guidance and security
  5. Data integrity and security
  6. Verifying connections with peripherals and its security and integrity

Operational Qualification (OQ)

Operational qualification includes equipment testing, defining testing procedure while in productions, defining continuous validation methods of operation, and maintenance of operational records as per GDP.

Performance Qualification (PQ)

Performance qualification is an important system qualification in terms of its performance.  The performance should be in the expected lines by its standards and validation of the output generated.  This process should include

  1. Testing procedures from the process to data
  2. Production environments, browser requirements, and other operational parameters
  3. Calibration and validation
  4. Analysis methodology
  5. Variability limits
  6. Vendor’s application support policies and Procedures

Document Management

Document management should be more efficient, and compliance has an important role to play.  May cloud systems are available to manage the document as per GDP

  1. GxP documents are to be maintained separately by a process like GMP, GLP, and others
  2. GxP documents should have a version control
  3. They should be segregated as SOPs, control documents, and policy guidelines etc.
  4. They should be subjected to a document Life cycle
  5. They should undergo a valid approval process
  6. Out of use systems document should be retired in line with the system retirement
  7. There should be a robust archive management system
  8. There should be a periodic review of the documents with the latest updates on the procedures and policy changes time to time

Compliance Training

Good compliance management should include the training plan and implementation.  This should be planned diligently by the level of operations involved. 

  • An operations team should be trained with compliance management policies and procedures to adhere during the work, change management, defect remediation, and problem management. 
  • A management group should be training with GRC related skills.  Quality management team should impart a training with issue identification and remediation plans and procedures. 

Compliance Reporting

Reporting is an integral part of compliance management as it helps to identify the strength and limitations of the compliance metrics.  Important compliance metrics are

  1. Training compliance
  2. Document compliance
  3. Periodic review
  4. System compliance
  5. Quality compliance that includes metrics like exceptions, deviations, and CAPAs. 

Third-party Management

The information technology department in any organizations use third parties for its various operations.

  1. Application management
  2. Infrastructure management
  3. Information security
  4. Data management and analytics. 

Mostly the governance is done by the organization and third parties that support the applications.  So, the organizations ensure that they not only train their internal resources but also provide the same to the third parties who are part of their ecosystem.  The compliance team also reviews the performance and standard deliverables of these organizations.    


So, change management has compliance management metrics which is a key performance indicator during the change.  This ensures the quality, control, and governance of the organizations’ IT environment.  This article was just to provide an insight into the compliance activities and a detailed piece can be provided in due course.