Regulated company does not want to perform UAT – is it compliant?

« Back to Previous Page
4
0

Hi! Can anyone help with the following case? We are a software development company (system supplier) for regulated industry of...

Please to read the entire article.

Marked as spam
Posted by Natalia Blagodarova (Discussions: 1, Comments: 2)
Replied on July 25, 2018 12:00 am
27 views
0
Private comment
The regulated company has the burden of prooving fitness for intended use to their auditors.
This is usually done through the validation programme, and your client should establish a validation plan to define the extent of documentation and testing for each system.
They may elect to skip testing of oob features if you supplied documented qualification of such features.
As this is a cat. 4, they should determine the extent of configuration required for their implementation.
A risk analysis could be conducted to determine if any of these configuration points need to be formally verified in testing.
If all URS and FRS are traced to oob testing and/or accepted through the RA process, your client could theoretically skip formal UAT.
But for GAMP5 cat 4, as a minimum I would still do end-to-end testing of their processes.
Marked as spam
Posted by Dominique André (Discussions: 0, Comments: 3)
Replied on July 24, 2018 8:00 pm
0
Private comment
Do they basically want to treat your organisation as a third party contractor, and to execute their scripts on your QA environment? If so, and you accept this role, and they accept how you manage this shared QA environment, then I don't see any issue. However, you'll need to clearly document their configuration, get training on their testing/ deviation processes, and probably be responsible to manage their test records.
Marked as spam
Posted by Akash Arya (Discussions: 1, Comments: 13)
Replied on July 24, 2018 8:00 pm
0
Private comment
There is no regulatory requirement for this.

BUT...the benefit of a TEST/QA environment reveals in the case when you have to work on troubleshooting if something goes wrong during performing the validation on the production environment. This costs time.

The only risk I see is that if there are any issues during the validation review that require to provide evidence to support the execution then you have to assure that going back and get the data is possible in the QA environment (also in case if an inspector wants to see them).
If you back up validation data then it takes time to restore and make it available to provided test evidence.
You also have to assure that the QA environment there is an exactly image of the customers production environment.
These are risks to consider by using this approach.

For further information I can recommend the GAMP Good Practice Guide: Testing GxP Systems.
Marked as spam
Posted by Rebekka Strauß (Discussions: 0, Comments: 2)
Replied on July 25, 2018 8:00 pm
0
Private comment
To do their UAT they need to accept the configuration they test AND your QA environment needs to match their PRD environment. I see that as the big hurdle. Also, UAT should include procedures to be used by business, even in draft form. Another issue to resolve. As others have said, it is their responsibility to validate. As supplier you do what they ask-and pay-to have you provide them.
Marked as spam
Posted by Mark Newton (Discussions: 0, Comments: 16)
Replied on July 25, 2018 8:00 pm
0
Private comment
Thank you, all!
Marked as spam
Posted by Natalia Blagodarova (Discussions: 1, Comments: 2)
Replied on July 26, 2018 8:00 pm
0
Private comment
I would say that the of all the test procedures, the UAT is the one that the business should want to perform to ensure proper configuration; no matter how good the IQ/OQ is, they do not ensure that the system meets business needs. If they don't they are really only at risk of not being able to follow their own process; can they accept the risk of a process deviation due to untested procedure?
Marked as spam
Posted by Erin Wright (Discussions: 0, Comments: 1)
Replied on July 26, 2018 8:00 pm
0
Private comment
As the software supplier, you, presumably, have established the system performs as specified. It would be unusual for the regulated company to expect you to perform UAT, but the purpose of UAT is to provide evidence that the system meets the requirements, with adherence to specification established. Provided the UAT summary report establishes that it also meets requirements, it may be acceptable for you to perform tests on their behalf. I would prefer the UAT to involve the client to some extent, perhaps signing off the test scripts and the test results, but definitely the test summary report. Remember, it is the regulated company that carries the burden of responsibility. For me the question to the regulated company would be that, although it may be OK for you to establish the system meets the requirements, who is going to prove that the broader processes the system supports work as expected?
Marked as spam
Posted by Nic Oatridge (Discussions: 1, Comments: 2)
Replied on July 28, 2018 8:00 pm
0
Private comment
As someone else mentioned, there is no specific requirement to perform UAT - so this in itself does not compromise compliance. The regulated entity must take whatever steps they require to demonstrate compliance. If they decide to do something other than the usual best practice they must be able to justify that. From your perspective I would keep documented evidence of their decision not to perform UAT because if the brown stuff ever hits the rotating blades then they may try to sling some of it in your direction. They have to take responsibility but it could cause arguments and may damage your reputation so be prepared.
Marked as spam
Posted by Gerard Treacy (Discussions: 0, Comments: 1)
Replied on July 29, 2018 8:00 pm
0
Private comment
No regulatory requirement exists as far as I am aware of, but I see two obstacles for this approach:

1) It is not a good practice to have the vendor performing tests as it could be interpreted as conflict of interests
2) Your company will get a responsibility which is risky because business processes and regulatory rules knowledge clearly isn't your area of expertise and, in case of any legal or regulatory event caused by a not so well planned testing strategy, you'll be accountable for something outside your scope of work

In other words, it looks like your client is trying to get rid of the problem.
Marked as spam
Posted by Flavio kawakami (Discussions: 0, Comments: 8)
Replied on July 29, 2018 8:00 pm
0
Private comment
Mhra guidance highlights the dangers of Vendor testing only. It is likely to be functional verification testing only, will potentially skip their own SOPs , training, etc etc. and...... has no concept of U for User. Nor likely R for Risk as it pertains the their assessment of risk and their own acceptable residual risk. And then... Q for Kwality Oversight. How will they perform periodic review, especially for DI if they’ve skipped UAT?
Marked as spam
Posted by Heather Longden (Discussions: 0, Comments: 18)
Replied on July 31, 2018 8:00 pm
0
Private comment
I would encourage you to meet with the senior QA personnel of the client, and inform them of the risks they are accepting. Once the system is accepted for use, they are responsible for compliance of the system-not your company. Skipping UAT adds several risks that they should mitigate: (1) some users get familiar with system in UAT; no UAT means more startup issues due to lack of power users who would answer "first use" questions from users; (2) UAT verifies that user requirements are met, following business processes; business is assuming all requirements are met because vendor affirms it. They might be technically met, but not in the way the business expected them to be met; (3) business support of system will be weak. QA activities, such as incident investigations will likely lack needed depth to get root cause identified. Periodic reviews will suffer the same problem until business expertise is developed.; (4) business will need to retain developers for inspection defense.
Marked as spam
Posted by Mark Newton (Discussions: 0, Comments: 16)
Replied on August 1, 2018 8:00 pm
0
Private comment
UAT is performed for users to accept the system and confirm that THEIR user requirements have been met. If they feel it is too time-consuming to conduct UAT in a QA environment, how will they feel when their requirements have not been met, the system doesn’t perform as they expected, and it doesn’t match their newly documented processes? My recommendation would be to go back to the client and reinforce the time spent now in a QA environment will ensure a smooth go live.
Marked as spam
Posted by Nancy Sutter (Discussions: 0, Comments: 1)
Replied on August 1, 2018 8:00 pm
0
Private comment
Not acceptable.
UAT shall be carried out as per GAMP and as part of Quality environment and some companies do it as part of PQ in Quality.
Marked as spam
Posted by Darshan Reddy (Discussions: 0, Comments: 1)
Replied on August 4, 2018 8:00 pm
« Back to Previous Page