Product Spotlight: How to Leverage USDM’s Vendor Audit of ServiceMax

Are you leveraging the documentation provided by ServiceMax to minimize your compliance burdens?

The U.S. Food and Drug Administration (FDA) has continuously promoted leveraging vendor documentation to support a risk-based least burdensome approach to software quality. The FDA states that if vendor documentation is in place and of good quality, it can and should be leveraged as documented evidence in establishing that the software core functionality has been validated.

While life sciences organizations own the responsibility of ensuring that software meets their specific intended use, they should make sure they aren’t re-creating documentation for documentation’s sake. They should use the vendor’s assets whenever possible and ensure the software works for their unique end-to-end intended use.

Understanding the ServiceMax Vendor Audit Report

Annually, as a part of the USDM Cloud Assurance™ subscription service, and to replace the need for individual audits, ServiceMax approved USDM as an independent qualified third-party to audit their design, development, testing, qualification, and maintenance methodologies. The audit is scoped explicitly to the ServiceMax infrastructure for compliance with FDA software compliance standards.

Results of the audit are compiled into the ServiceMax Vendor Audit Report – a comprehensive report and reference document—which not only provides a summary of the audit, but also cites all source material reviewed as a part of the audit activities and provides direct links to all publicly available content.

Ways to Leverage the ServiceMax Vendor Audit Report

Infrastructure, Back-Up, Disaster Recovery, and Installation Testing: Installation Qualification (IQ)

ServiceMax sits on the Salesforce platform; therefore, infrastructure qualification is performed by Salesforce and is verified and leveraged by ServiceMax under their Supplier Qualification process, which verifies that specific critical elements are in place (such as backup and recovery, access control, change control, SDLC testing, release management, and communications). The ServiceMax software installation is controlled and managed by ServiceMax and includes their own release management, SDLC testing, change control, and communication elements. Much of the IQ work is already done for you and you can use the summary of documentation reviewed during the audit—and detailed in the Audit Report—as your evidence.

  • Leverage ServiceMax (and Salesforce) core functionality testing. Reference the appropriate sections of the Vendor Audit Report in your Traceability Matrix and include a copy of it as evidence in your Validation package.
  • Focus on qualifying the configuration specific to your use cases; verify your instance has been configured for your intended use.

Functionality and Workflow Testing: Operational Qualification/Performance Qualification (OQ/PQ)

While functionality testing is required from an intended use standpoint, certain aspects of the traditional OQ/PQ activities can be leveraged from the audits. The most prominent is a detailed review of ServiceMax’s functional testing activities: the overall SDLC, including unit, regression, integration, and boundary testing of the out-of-the-box (core) functionality. You can use the summary of documentation reviewed during the audit—and detailed in the Audit Report—as your evidence.

  • Leverage ServiceMax core functionality testing. Reference the appropriate sections of the Vendor Audit Report in your Traceability Matrix and include a copy of it as evidence in your Validation package.
  • Focus OQ testing on high-risk core and custom functionality that impacts product quality and patient safety and consider using the Computer Software Assurance (CSA) approach to optimize the risk-based approach to validation.
  • Focus PQ testing on your use of the system. Test the end-to-end workflow to establish confidence that your process operates as intended and is reproducible.

Cloud Assurance™

Whenever software is updated, conduct an analysis for validation of the individual change, and to determine the extent and impact of that change on the entire system. As part of the Cloud Assurance™ subscription for ServiceMax, USDM provides an impact assessment of upcoming releases that includes guidance on the required regression testing based on the high-risk areas of the system’s core functionality.

You can upgrade your Cloud Assurance™ subscription to include a customer-specific analysis of ServiceMax releases to ensure all aspects of your specific system configuration are tested according to your inherent risk within your testing environment. Additionally, regression test (PQ) scripts are executed as required for each release specific to your configuration.

Contact USDM to learn more about USDM Cloud Assurance ™ and how you can offload your cloud vendor management and validation maintenance of ongoing system updates, patches, and changes.

 

ABOUT David Blewitt

David is the VP of Cloud Compliance USDM Life Sciences. He is an accomplished life science regulatory and IS compliance professional with extensive hands-on and leadership experience in the pharmaceutical, medical device, biotech, and blood management industries. He is a highly regarded expert on a wide range of regulatory predicate rules.