Gamp Ppt x4b1a
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View Gamp Ppt as PDF for free.
More details 6y5l6z
- Words: 3,303
- Pages: 48
Keith Williams CEO GxPi
GAMP®5 as a Suitable Framework for Validation of Electronic Document Management Systems ‘On Premise’ and 'In the Cloud'
Drug Information Association
www.diahome.org
2
These PowerPoint slides are the intellectual property of the individual presenter and are protected under the copyright laws of the United States of America and other countries. Used by permission. All rights reserved. Drug Information Association, DIA and DIA logo are ed trademarks or trademarks of Drug Information Association Inc. All other trademarks are the property of their respective owners.
The views and opinions expressed in the following PowerPoint slides are those of the individual presenter and should not be attributed to Drug Information Association, Inc. (“DIA”), its directors, officers, employees, volunteers, , chapters, councils, Special Interest Area Communities or s, or any organization with which the presenter is employed or d.
Disclaimer
Drug Information Association
www.diahome.org
http://www.ispe.org/gamp5
• Group founded in 1991 in the UK from life sciences manufacturing (not called GAMP®) • First GAMP® (Good Automated Manufacturing Practice) guide published in 1994 • Partnered with ISPE (International Society for Pharmaceutical Engineering) in 1994 • GAMP® 4 (2001) included a lot of detail in of checklists, templates, proposed “V” model etc. • Replaced by a Quality Risk Management approach in GAMP® 5 (2008) plus IT related best practice guides (2005-2012) • It’s a guideline, not a “Regulation”, but still widely followed
History and evolution of GAMP®
3
(OP= ‘On-Premise’; Hosted may = Cloud)
Drug Information Association
2002
www.diahome.org
(OP)
Configured EDMS on platforms- still some development
Validation approaches have had to adapt to this change as more of the activities transfer to ‘Outsourcing’ companies
(OP)
Mostly In-house developed EDMS or bespoke by supplier
1994
and Hosted EDMS)
2010 COTS or Preconfigured (OP
Context Trend of EDMS over the last 15-20 YearsMatching the Evolution of GAMP®
4
www.diahome.org
5
It should be employed as part of, and alongside your Validation Master Plan (VMP) A specific Validation Plan (VP) should be produced for each GxP regulated system VP should focus on aspects related to patient safety, product quality and data integrity You need to have a deep understanding of the underlying technologies that are being employed in the Hosting of the Infrastructure, Platforms and Software applications You should leverage as much of the Suppliers’ expertise, testing and documentation as possible (see examples later)
Drug Information Association
•
•
• • •
BUT
• It is a framework designed to ensure that computerised systems are fit for purpose and compliant with current regulatory requirements
• In short, Yes it is suitable (otherwise this would be a short talk).
Can you Use GAMP® 5 for Validation of an EDMS for ‘On Premise’ and ‘Hosted in the Cloud’ deployment?
Drug Information Association
Why is GAMP® 5 useful now?
www.diahome.org
6
Drug Information Association
www.diahome.org
RISK ASSESSMENT AND OVERVIEW OF TOOLS
Click to edit Master title style
7
Drug Information Association
www.diahome.org
• Functional Risk Assessment – where should you focus your efforts in of documentation and testing?
• High Level Risk Assessment – do you need to validate at all?
How can a risk based approach cut costs?
8
Drug Information Association
www.diahome.org
Assessment- do you have a GxP Critical system?
9
Drug Information Association
www.diahome.org
GAMP 5 Risk based approach at a functional level
10
Drug Information Association
www.diahome.org
11
• Clear separation of Regulated Company and Supplier Responsibilities • Advice on managing the interface with suppliers, including assessments / audits • Full proposed set of documents, including “templates” • Acknowledges differences between Information Systems and computer-controlled “equipment”. • Application of a Risk-based approach • Categorisation of Software or Components • Emphasis on the Validation Plan and Validation Report • The end-result should be not just be an auditable set of documents, but hopefully a computer system that does what it is meant to do!
What does GAMP 5 suggest?
Drug Information Association
www.diahome.org
VALIDATION OF AN EDMS ‘ON-PREMISE’ VS ‘CLOUD’
Click to edit Master title style
12
Drug Information Association
www.diahome.org
GAMP® 5 Compliance by adopting a life cycle approach to Computerised Systems
13
www.diahome.org
14
Platform Hardware (Servers and clients) Server Software (Platform and Application) Client Software EDMS Processes (Process Owner) EDMS Community (People, SME, System Owner- may also be Process Owner)
Drug Information Association
• • • • •
The Main Components of an EDMS that need to be managed
www.diahome.org
15
Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools ed by the provider. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications
Drug Information Association
•
•
•
•
Cloud Computing -SaaS, Paas, Iaas,
Some definitions of ‘Cloud’ and Hosting (outsourcing)
www.diahome.org
16
Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Public cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Community cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Drug Information Association
•
•
•
•
Cloud-, Private, Public, Community, and Hybrid
Some further definitions of ‘Cloud’ and Hosting (outsourcing)
Drug Information Association
www.diahome.org
17
• Infrastructure and OS are treated as GAMP® Category 1 whether On Premise or Hosted • The EDMS will be 3 if it is Pre-configured and deployed without any major changes (not likely) • The EDMS will be 4 if it is configured • Category 5 we won’t cover here but your Software Application provider should have validated their core product to this
GAMP® 5 Categories and what to do
Drug Information Association
www.diahome.org
Hybrid Clouds can be combinations of On-premise, Private or Public
Service and Deployment models for On Premise and Hosted and who controls and manages them
18
Hardware, Internet Connectivity, Power, Servers, Storage and RAM, VMWare, Hyper-V
O/S, Windows Server, SharePoint and SQL
e.g. Hosted EDMS
IaaS
PaaS
SaaS
Drug Information Association
Components
Service
4
1
1
www.diahome.org
“Validate” the hosted application. URS and UAT
Qualify the stack. Manage / control ongoing changes. Audit procedures.
Qualify and manage infrastructure. Audit procedures.
GAMP® What to do? Category
Example Component Categorisation for EDMS Cloud Implementation
Sponsor
AV
AV or Sponsor
19
Platform Vendor (PV) PV.
Infrastructure Vendor (IV). Application Vendor(AV) or Sponsor.
Who?
Drug Information Association
www.diahome.org
For EDMS Projects, the supplier involvement varies with ‘On-Premise’ or Hosted Variations in these areas
All the areas below will have difference between ‘OnPremise and Hosted implementation
20
Drug Information Association
www.diahome.org
21
• Regulated Company handles everything in-house • Owns and manages corporate IT infrastructure, relying on in-house IT department • Sets up and qualifies separate machines / platforms / environments for informal development, formal testing and for live use • Audits the software supplier • Validates the application / system
‘On Premise’ qualification and validation management
Drug Information Association
www.diahome.org
22
• Regulated company uses private/public cloud-based Software as a Service for submissible or inspectable data • Allows IaaS provider to manage infrastructure flexibly, adjusting capacity and even location, as needed • Relies on SaaS provider’s validation documentation and testing of functionality • Carries out minimal validation of software configuration to meet basic requirements • Carries out audits of service providers
Hosted ‘Cloud’ qualification and validation management
Drug Information Association
www.diahome.org
EXAMPLE OF CATEGORY 4 EDMS QUALIFICATION
Click to edit Master title style
23
Drug Information Association
EDMS CAT 4 DETAILED PLAN EXAMPLE
www.diahome.org
EDMS Projects, the supplier involvement varies with ‘On-Premise’ or Hosted Variations
Area examined for a CAT4 EDMS example
24
Drug Information Association
www.diahome.org
Category 4- Configuration of the EDMS
25
Drug Information Association
www.diahome.org
EDMS Cat 4: Project Activities, Deliverables and Responsibilities Regulated Company and Supplier
26
Drug Information Association
www.diahome.org
Note: Can use separate matrices for “Project” activities and “Ongoing Service”
Periodic Review
Operational Change Control
Infrastructure Qualification
Incident Management
Installation Qualification
Functional & Design Documentation
Requirements & Acceptance Testing
Validation Plan & Report
Activities:
Organisations: Regulated Software SaaS Company Developer Provider
How could this breakdown into activities for a multisupplier Cloud delivery?
27
IaaS Provider
Drug Information Association
www.diahome.org
*this is not unique to ‘Cloud’ suppliers, this is general outsourcing and Supplier management misunderstanding, usually after the contracts have been signed by procurement and variations occur
– Without understanding what the regulated company needs and where the risk is – Without defining responsibilities – Without appreciating and the cost of compliance the Life Science company requires
• Suppliers Sell ‘Cloud’ services:
– Lack of understanding of what the ‘Cloud is’ (and is not!) and to what the consistent are that apply to your company by Quality AND IT staff – Lack of understanding of the enabling technologies, how they work and interactions between them and other applications
• Biggest problems with ‘Cloud’ are:
– You know what you are managing – You know what the risks are
• You can’t mitigate risks unless:
Summary of Compliance Risk Management in the Cloud
28
Drug Information Association
www.diahome.org
SOME PRACTICAL EXAMPLES
Click to edit Master title style
29
• Small Pharma Company (500 s) using on-premise EDMS software for document management. • Company keen to minimise IT costs so they set up their server farm as virtual machines. • Software supplier contractually responsible for software Change Management, including regression testing. • Software supplier using IaaS provider to host virtual test environments, as part of the provided.
Example 1
• Traditional ‘On-premise’ model project went to plan on time and budget • BUT; the capability to rapidly set-up an identical “qualified” test environment greatly speeded up the testing of an unrepeatable fault, the fix and then release of controlled changes • Good from a specialised IaaS provider, keen to explore ways of ing Pharma clients • Qualification of new virtual environments can also be greatly speeded up, via use of executable scripts to install the relevant files and to confirm that the installation meets specifications
Example 1: Lessons Learned
• New “virtual” Pharma company using hosted SaaS for electronic document management. • The Software Product is highly configurable (as distinct from customisable) to meet client business requirements • Specialised software application / SaaS provider with auditable development documentation ready for Pharma clients. • Extensive auditing carried out by Pharma Companyleveraged the document set and experince of the supplier • Separate IaaS provider used for actual hosting, audited by the SaaS provider
Example 2
• Niche service providers do understand needs of Pharma Clients, and expect to be audited ‘hard’ as part of supplier selection • SaaS provider can take on responsibility to audit and manage the IaaS provider, including Infrastructure and Installation Qualification and that can be audited by Pharma Company. • Suppliers need to be pragmatic when faced with multiple opinions on compliance details from different clientsmake sure that they have a robust but cost effective system • Configuration of the application needs to be managed carefully by the SaaS provider, with maximum input from actual s
Example 2 : Lessons Learned
Drug Information Association
www.diahome.org
WHAT THE REGULATORS HAVE SAID ABOUT CLOUD USAGE THIS YEAR
Click to edit Master title style
34
Drug Information Association
www.diahome.org
35
– Risks have been clearly identified & mitigated – Client/Provider Contracts cover off key elements – Supplier Quality Systems are adequate • QMS, validation, change control, training – Cybersecurity has been tested (ethical hacking?) – Data Backup/Recovery processes are robust and fit for requirements – Evidence of Audits of Providers by FDA/ other Clients
• That the Integrity of the Data is assured
What are regulators interested in when they discover IT is ‘in the Cloud’?
Drug Information Association
www.diahome.org
36
• I would advocate closer ties with DIA and ISPE so experiences and guidance can be shared and knowledge built
• It can be applied to both on-premise and hosted environments
• It can help both Suppliers and s of EDMS
• GAMP 5 is widely used and referenced in our Industry
SUMMARY
www.diahome.org
Phil Harrison of GXPi Thana Subramanian of GE Randy Perez of Novartis (and Chair of ISPE) David Stokes of Business Decision ISPE for use of GAMP® material Fujitsu
Drug Information Association
• • • • • •
Thanks for material and thoughts contributing to this presentation go to:
37
Drug Information Association
www.diahome.org
Keith Williams ([email protected] )
Thanks for listening!!
38
Drug Information Association
www.diahome.org
REFERENCE MATERIAL
Click to edit Master title style
39
www.diahome.org
The validated status of EDMS applications that are dependent upon an underlying IT Infrastructure Being updated for ‘Cloud’ elements ID and assessment of components Qualification Maintenance of the Qualified State
Drug Information Association
– – – –
–
40
Regulators usually focus on the integrity, consistency, and completeness of controls required to maintain compliance. Highlights the importance of the operation phase of the system lifecycle When the return on investment for the significant time and resource expended in implementing new computerized systems can be achieved.
• IT Infrastructure Control & Compliance Guide
– –
–
• Operation of GxP Computerized Systems (2010)
Other Resources- Best Practice Guides
Very Process and prescriptive Driven (around 200 pages) Helps maximize testing efficiency without compromising the quality of GxP Systems focusing testing on areas that have the greatest impact has been recently expanded and updated and reflects ICH Q8, Q9, and Q10 contains new information on Cloud computing
www.diahome.org
Project Management on multiple geographic site Computer system projects Validation and Implementation approaches Global System management of Change Control Record retention
Drug Information Association
– – – –
• Global Information Systems Control & Compliance (2005)
– – – – –
• Testing of GxP Systems (2012)
Other Resources- Best Practice Guides
41
GAMP Community of Practice: http://www.ispe.org/gampcop
•
Drug Information Association
www.diahome.org
Annex 11:http://ec.europa.eu/health/files/eudralex/vol-4/annex11_012011_en.pdf 21CFR Part11: http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm
•
•
GAMP 5: http://www.ispe.org/gamp-5 NIST: http://www.nist.gov/itl/cloud/index.cfm ICH: http://www.ich.org/
• • •
Useful References
42
Drug Information Association
www.diahome.org
How Risk Management ICH maps to GAMP® 5
43
Drug Information Association
www.diahome.org
44
• Has had a lot of thought gone into it in a pragmatic way • Is process driven and risk based so you can use the framework to do as much or as little as you see fit • Gives you the latitude to do what is necessary for your business and allocate appropriate resource • Establishes a common language and terminology (BUT see ‘Cloud’ for further confusion) • Has been harmonised where possible with other standards such as ICH Q8, Q9 and Q10 and various ISO standards • Is designed to be compatible with other computer and software models and methods like ITIL, RUP etc. • The validation of a computerised system to achieve and maintain GxP compliance throughout the lifecycle of that system • It clarifies scalability of and central role of Quality Risk Management in a sensible justifiable approach to what you do (but document it!!)
The Advantages of using GAMP® 5
Drug Information Association
www.diahome.org
May not fit well to your existing Quality process Comes from a Manufacturing/Production bias So there may be a feeling of ‘it doesn’t apply to me’ Terminology and nomenclature may be different Less prescriptive than previous GAMP® iterations The risk based approach requires complete product, process and technology understanding • This in turn means you have to understand deeply the technologies being employed and their quality impact, and/or employ or pay for Subject Matter Experts (SMEs) • For Hosting situations, you will require (and may have to educate) your Supplier to manage their QMS and activities in a way commensurate with GAMP® (see next slide) • Cost- perceived and otherwise, but mostly getting everyone on the same page and with agreed nomenclature
• • • • • •
The Disadvantages of using GAMP® 5
45
Drug Information Association
www.diahome.org
• Computer System Validation (and GAMP®) was traditionally associated with extra workload and greatly increased costs of compliance
BUT • Cost of compliance adds to cost of doing things and ultimately cost of goods (which we want to reduce)
• Keep the regulators confident in your business and prevent them issuing restrictions and actions against you (note: they require to see documented evidence in Human Readable format)
• Minimise the risk that something goes wrong with the end customer’s health and safety
Just a reflection on why we bother to validate?
46
47
Documentation: Effective documentation management is fundamental to demonstrate compliance, again suppliers may not be able to manage this, or their training records, auditing of their suppliers etc.
•
www.diahome.org
QMS: Infrastructure suppliers may prefer not to work within the confines of specifications and procedures developed by others (Pharma Sector). If you are going to rely on suppliers, they may not want to bear the cost of implementing a formal QMS that will tick all of your requirements, especially the ‘cloud’ providers who have many other customers
•
Drug Information Association
Change control: Sometimes even minor software tweaks or patching, whether necessary or not, can cause major breakdown. The rigour of change management, impact assessment and testing adds to the work burden and short term cost (and is one that the supplier may not be used to)
•
Challenges of imposing GAMP® 5 on Suppliers of Hosted Services for the Life Sciences sector
Drug Information Association
www.diahome.org
48
Ideally • They have detailed experience of the compliance needs of the Life Sciences industry and tools to aid and ensure that compliance is achieved efficiently • They have validation documents of a suitable quality that allows you to leverage, using risk-based approach to reduce your validation effort • They can clearly communicate and educate complex technology environments to your team so they can understand the operation and design elements • They have been audited by other Life Sciences companies • They have a robust and suitable QMS that matches Life Sciences industry expectations • They have adequate Subject Matter Experts that span IT technical and compliance
Minimum • Documents and schematics that are understandable by the non-expert • They manage change in an acceptable manner • They have clear contracts and allocation of responsibilities • They have been audited by other regulated companies • They audit their suppliers • Suitable test scripts for their environment to prove security and data integrity
Some things to look for in a Supplier to ease the implementation of a Cloud EDMS
GAMP®5 as a Suitable Framework for Validation of Electronic Document Management Systems ‘On Premise’ and 'In the Cloud'
Drug Information Association
www.diahome.org
2
These PowerPoint slides are the intellectual property of the individual presenter and are protected under the copyright laws of the United States of America and other countries. Used by permission. All rights reserved. Drug Information Association, DIA and DIA logo are ed trademarks or trademarks of Drug Information Association Inc. All other trademarks are the property of their respective owners.
The views and opinions expressed in the following PowerPoint slides are those of the individual presenter and should not be attributed to Drug Information Association, Inc. (“DIA”), its directors, officers, employees, volunteers, , chapters, councils, Special Interest Area Communities or s, or any organization with which the presenter is employed or d.
Disclaimer
Drug Information Association
www.diahome.org
http://www.ispe.org/gamp5
• Group founded in 1991 in the UK from life sciences manufacturing (not called GAMP®) • First GAMP® (Good Automated Manufacturing Practice) guide published in 1994 • Partnered with ISPE (International Society for Pharmaceutical Engineering) in 1994 • GAMP® 4 (2001) included a lot of detail in of checklists, templates, proposed “V” model etc. • Replaced by a Quality Risk Management approach in GAMP® 5 (2008) plus IT related best practice guides (2005-2012) • It’s a guideline, not a “Regulation”, but still widely followed
History and evolution of GAMP®
3
(OP= ‘On-Premise’; Hosted may = Cloud)
Drug Information Association
2002
www.diahome.org
(OP)
Configured EDMS on platforms- still some development
Validation approaches have had to adapt to this change as more of the activities transfer to ‘Outsourcing’ companies
(OP)
Mostly In-house developed EDMS or bespoke by supplier
1994
and Hosted EDMS)
2010 COTS or Preconfigured (OP
Context Trend of EDMS over the last 15-20 YearsMatching the Evolution of GAMP®
4
www.diahome.org
5
It should be employed as part of, and alongside your Validation Master Plan (VMP) A specific Validation Plan (VP) should be produced for each GxP regulated system VP should focus on aspects related to patient safety, product quality and data integrity You need to have a deep understanding of the underlying technologies that are being employed in the Hosting of the Infrastructure, Platforms and Software applications You should leverage as much of the Suppliers’ expertise, testing and documentation as possible (see examples later)
Drug Information Association
•
•
• • •
BUT
• It is a framework designed to ensure that computerised systems are fit for purpose and compliant with current regulatory requirements
• In short, Yes it is suitable (otherwise this would be a short talk).
Can you Use GAMP® 5 for Validation of an EDMS for ‘On Premise’ and ‘Hosted in the Cloud’ deployment?
Drug Information Association
Why is GAMP® 5 useful now?
www.diahome.org
6
Drug Information Association
www.diahome.org
RISK ASSESSMENT AND OVERVIEW OF TOOLS
Click to edit Master title style
7
Drug Information Association
www.diahome.org
• Functional Risk Assessment – where should you focus your efforts in of documentation and testing?
• High Level Risk Assessment – do you need to validate at all?
How can a risk based approach cut costs?
8
Drug Information Association
www.diahome.org
Assessment- do you have a GxP Critical system?
9
Drug Information Association
www.diahome.org
GAMP 5 Risk based approach at a functional level
10
Drug Information Association
www.diahome.org
11
• Clear separation of Regulated Company and Supplier Responsibilities • Advice on managing the interface with suppliers, including assessments / audits • Full proposed set of documents, including “templates” • Acknowledges differences between Information Systems and computer-controlled “equipment”. • Application of a Risk-based approach • Categorisation of Software or Components • Emphasis on the Validation Plan and Validation Report • The end-result should be not just be an auditable set of documents, but hopefully a computer system that does what it is meant to do!
What does GAMP 5 suggest?
Drug Information Association
www.diahome.org
VALIDATION OF AN EDMS ‘ON-PREMISE’ VS ‘CLOUD’
Click to edit Master title style
12
Drug Information Association
www.diahome.org
GAMP® 5 Compliance by adopting a life cycle approach to Computerised Systems
13
www.diahome.org
14
Platform Hardware (Servers and clients) Server Software (Platform and Application) Client Software EDMS Processes (Process Owner) EDMS Community (People, SME, System Owner- may also be Process Owner)
Drug Information Association
• • • • •
The Main Components of an EDMS that need to be managed
www.diahome.org
15
Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools ed by the provider. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications
Drug Information Association
•
•
•
•
Cloud Computing -SaaS, Paas, Iaas,
Some definitions of ‘Cloud’ and Hosting (outsourcing)
www.diahome.org
16
Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Public cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Community cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Drug Information Association
•
•
•
•
Cloud-, Private, Public, Community, and Hybrid
Some further definitions of ‘Cloud’ and Hosting (outsourcing)
Drug Information Association
www.diahome.org
17
• Infrastructure and OS are treated as GAMP® Category 1 whether On Premise or Hosted • The EDMS will be 3 if it is Pre-configured and deployed without any major changes (not likely) • The EDMS will be 4 if it is configured • Category 5 we won’t cover here but your Software Application provider should have validated their core product to this
GAMP® 5 Categories and what to do
Drug Information Association
www.diahome.org
Hybrid Clouds can be combinations of On-premise, Private or Public
Service and Deployment models for On Premise and Hosted and who controls and manages them
18
Hardware, Internet Connectivity, Power, Servers, Storage and RAM, VMWare, Hyper-V
O/S, Windows Server, SharePoint and SQL
e.g. Hosted EDMS
IaaS
PaaS
SaaS
Drug Information Association
Components
Service
4
1
1
www.diahome.org
“Validate” the hosted application. URS and UAT
Qualify the stack. Manage / control ongoing changes. Audit procedures.
Qualify and manage infrastructure. Audit procedures.
GAMP® What to do? Category
Example Component Categorisation for EDMS Cloud Implementation
Sponsor
AV
AV or Sponsor
19
Platform Vendor (PV) PV.
Infrastructure Vendor (IV). Application Vendor(AV) or Sponsor.
Who?
Drug Information Association
www.diahome.org
For EDMS Projects, the supplier involvement varies with ‘On-Premise’ or Hosted Variations in these areas
All the areas below will have difference between ‘OnPremise and Hosted implementation
20
Drug Information Association
www.diahome.org
21
• Regulated Company handles everything in-house • Owns and manages corporate IT infrastructure, relying on in-house IT department • Sets up and qualifies separate machines / platforms / environments for informal development, formal testing and for live use • Audits the software supplier • Validates the application / system
‘On Premise’ qualification and validation management
Drug Information Association
www.diahome.org
22
• Regulated company uses private/public cloud-based Software as a Service for submissible or inspectable data • Allows IaaS provider to manage infrastructure flexibly, adjusting capacity and even location, as needed • Relies on SaaS provider’s validation documentation and testing of functionality • Carries out minimal validation of software configuration to meet basic requirements • Carries out audits of service providers
Hosted ‘Cloud’ qualification and validation management
Drug Information Association
www.diahome.org
EXAMPLE OF CATEGORY 4 EDMS QUALIFICATION
Click to edit Master title style
23
Drug Information Association
EDMS CAT 4 DETAILED PLAN EXAMPLE
www.diahome.org
EDMS Projects, the supplier involvement varies with ‘On-Premise’ or Hosted Variations
Area examined for a CAT4 EDMS example
24
Drug Information Association
www.diahome.org
Category 4- Configuration of the EDMS
25
Drug Information Association
www.diahome.org
EDMS Cat 4: Project Activities, Deliverables and Responsibilities Regulated Company and Supplier
26
Drug Information Association
www.diahome.org
Note: Can use separate matrices for “Project” activities and “Ongoing Service”
Periodic Review
Operational Change Control
Infrastructure Qualification
Incident Management
Installation Qualification
Functional & Design Documentation
Requirements & Acceptance Testing
Validation Plan & Report
Activities:
Organisations: Regulated Software SaaS Company Developer Provider
How could this breakdown into activities for a multisupplier Cloud delivery?
27
IaaS Provider
Drug Information Association
www.diahome.org
*this is not unique to ‘Cloud’ suppliers, this is general outsourcing and Supplier management misunderstanding, usually after the contracts have been signed by procurement and variations occur
– Without understanding what the regulated company needs and where the risk is – Without defining responsibilities – Without appreciating and the cost of compliance the Life Science company requires
• Suppliers Sell ‘Cloud’ services:
– Lack of understanding of what the ‘Cloud is’ (and is not!) and to what the consistent are that apply to your company by Quality AND IT staff – Lack of understanding of the enabling technologies, how they work and interactions between them and other applications
• Biggest problems with ‘Cloud’ are:
– You know what you are managing – You know what the risks are
• You can’t mitigate risks unless:
Summary of Compliance Risk Management in the Cloud
28
Drug Information Association
www.diahome.org
SOME PRACTICAL EXAMPLES
Click to edit Master title style
29
• Small Pharma Company (500 s) using on-premise EDMS software for document management. • Company keen to minimise IT costs so they set up their server farm as virtual machines. • Software supplier contractually responsible for software Change Management, including regression testing. • Software supplier using IaaS provider to host virtual test environments, as part of the provided.
Example 1
• Traditional ‘On-premise’ model project went to plan on time and budget • BUT; the capability to rapidly set-up an identical “qualified” test environment greatly speeded up the testing of an unrepeatable fault, the fix and then release of controlled changes • Good from a specialised IaaS provider, keen to explore ways of ing Pharma clients • Qualification of new virtual environments can also be greatly speeded up, via use of executable scripts to install the relevant files and to confirm that the installation meets specifications
Example 1: Lessons Learned
• New “virtual” Pharma company using hosted SaaS for electronic document management. • The Software Product is highly configurable (as distinct from customisable) to meet client business requirements • Specialised software application / SaaS provider with auditable development documentation ready for Pharma clients. • Extensive auditing carried out by Pharma Companyleveraged the document set and experince of the supplier • Separate IaaS provider used for actual hosting, audited by the SaaS provider
Example 2
• Niche service providers do understand needs of Pharma Clients, and expect to be audited ‘hard’ as part of supplier selection • SaaS provider can take on responsibility to audit and manage the IaaS provider, including Infrastructure and Installation Qualification and that can be audited by Pharma Company. • Suppliers need to be pragmatic when faced with multiple opinions on compliance details from different clientsmake sure that they have a robust but cost effective system • Configuration of the application needs to be managed carefully by the SaaS provider, with maximum input from actual s
Example 2 : Lessons Learned
Drug Information Association
www.diahome.org
WHAT THE REGULATORS HAVE SAID ABOUT CLOUD USAGE THIS YEAR
Click to edit Master title style
34
Drug Information Association
www.diahome.org
35
– Risks have been clearly identified & mitigated – Client/Provider Contracts cover off key elements – Supplier Quality Systems are adequate • QMS, validation, change control, training – Cybersecurity has been tested (ethical hacking?) – Data Backup/Recovery processes are robust and fit for requirements – Evidence of Audits of Providers by FDA/ other Clients
• That the Integrity of the Data is assured
What are regulators interested in when they discover IT is ‘in the Cloud’?
Drug Information Association
www.diahome.org
36
• I would advocate closer ties with DIA and ISPE so experiences and guidance can be shared and knowledge built
• It can be applied to both on-premise and hosted environments
• It can help both Suppliers and s of EDMS
• GAMP 5 is widely used and referenced in our Industry
SUMMARY
www.diahome.org
Phil Harrison of GXPi Thana Subramanian of GE Randy Perez of Novartis (and Chair of ISPE) David Stokes of Business Decision ISPE for use of GAMP® material Fujitsu
Drug Information Association
• • • • • •
Thanks for material and thoughts contributing to this presentation go to:
37
Drug Information Association
www.diahome.org
Keith Williams ([email protected] )
Thanks for listening!!
38
Drug Information Association
www.diahome.org
REFERENCE MATERIAL
Click to edit Master title style
39
www.diahome.org
The validated status of EDMS applications that are dependent upon an underlying IT Infrastructure Being updated for ‘Cloud’ elements ID and assessment of components Qualification Maintenance of the Qualified State
Drug Information Association
– – – –
–
40
Regulators usually focus on the integrity, consistency, and completeness of controls required to maintain compliance. Highlights the importance of the operation phase of the system lifecycle When the return on investment for the significant time and resource expended in implementing new computerized systems can be achieved.
• IT Infrastructure Control & Compliance Guide
– –
–
• Operation of GxP Computerized Systems (2010)
Other Resources- Best Practice Guides
Very Process and prescriptive Driven (around 200 pages) Helps maximize testing efficiency without compromising the quality of GxP Systems focusing testing on areas that have the greatest impact has been recently expanded and updated and reflects ICH Q8, Q9, and Q10 contains new information on Cloud computing
www.diahome.org
Project Management on multiple geographic site Computer system projects Validation and Implementation approaches Global System management of Change Control Record retention
Drug Information Association
– – – –
• Global Information Systems Control & Compliance (2005)
– – – – –
• Testing of GxP Systems (2012)
Other Resources- Best Practice Guides
41
GAMP Community of Practice: http://www.ispe.org/gampcop
•
Drug Information Association
www.diahome.org
Annex 11:http://ec.europa.eu/health/files/eudralex/vol-4/annex11_012011_en.pdf 21CFR Part11: http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm
•
•
GAMP 5: http://www.ispe.org/gamp-5 NIST: http://www.nist.gov/itl/cloud/index.cfm ICH: http://www.ich.org/
• • •
Useful References
42
Drug Information Association
www.diahome.org
How Risk Management ICH maps to GAMP® 5
43
Drug Information Association
www.diahome.org
44
• Has had a lot of thought gone into it in a pragmatic way • Is process driven and risk based so you can use the framework to do as much or as little as you see fit • Gives you the latitude to do what is necessary for your business and allocate appropriate resource • Establishes a common language and terminology (BUT see ‘Cloud’ for further confusion) • Has been harmonised where possible with other standards such as ICH Q8, Q9 and Q10 and various ISO standards • Is designed to be compatible with other computer and software models and methods like ITIL, RUP etc. • The validation of a computerised system to achieve and maintain GxP compliance throughout the lifecycle of that system • It clarifies scalability of and central role of Quality Risk Management in a sensible justifiable approach to what you do (but document it!!)
The Advantages of using GAMP® 5
Drug Information Association
www.diahome.org
May not fit well to your existing Quality process Comes from a Manufacturing/Production bias So there may be a feeling of ‘it doesn’t apply to me’ Terminology and nomenclature may be different Less prescriptive than previous GAMP® iterations The risk based approach requires complete product, process and technology understanding • This in turn means you have to understand deeply the technologies being employed and their quality impact, and/or employ or pay for Subject Matter Experts (SMEs) • For Hosting situations, you will require (and may have to educate) your Supplier to manage their QMS and activities in a way commensurate with GAMP® (see next slide) • Cost- perceived and otherwise, but mostly getting everyone on the same page and with agreed nomenclature
• • • • • •
The Disadvantages of using GAMP® 5
45
Drug Information Association
www.diahome.org
• Computer System Validation (and GAMP®) was traditionally associated with extra workload and greatly increased costs of compliance
BUT • Cost of compliance adds to cost of doing things and ultimately cost of goods (which we want to reduce)
• Keep the regulators confident in your business and prevent them issuing restrictions and actions against you (note: they require to see documented evidence in Human Readable format)
• Minimise the risk that something goes wrong with the end customer’s health and safety
Just a reflection on why we bother to validate?
46
47
Documentation: Effective documentation management is fundamental to demonstrate compliance, again suppliers may not be able to manage this, or their training records, auditing of their suppliers etc.
•
www.diahome.org
QMS: Infrastructure suppliers may prefer not to work within the confines of specifications and procedures developed by others (Pharma Sector). If you are going to rely on suppliers, they may not want to bear the cost of implementing a formal QMS that will tick all of your requirements, especially the ‘cloud’ providers who have many other customers
•
Drug Information Association
Change control: Sometimes even minor software tweaks or patching, whether necessary or not, can cause major breakdown. The rigour of change management, impact assessment and testing adds to the work burden and short term cost (and is one that the supplier may not be used to)
•
Challenges of imposing GAMP® 5 on Suppliers of Hosted Services for the Life Sciences sector
Drug Information Association
www.diahome.org
48
Ideally • They have detailed experience of the compliance needs of the Life Sciences industry and tools to aid and ensure that compliance is achieved efficiently • They have validation documents of a suitable quality that allows you to leverage, using risk-based approach to reduce your validation effort • They can clearly communicate and educate complex technology environments to your team so they can understand the operation and design elements • They have been audited by other Life Sciences companies • They have a robust and suitable QMS that matches Life Sciences industry expectations • They have adequate Subject Matter Experts that span IT technical and compliance
Minimum • Documents and schematics that are understandable by the non-expert • They manage change in an acceptable manner • They have clear contracts and allocation of responsibilities • They have been audited by other regulated companies • They audit their suppliers • Suitable test scripts for their environment to prove security and data integrity
Some things to look for in a Supplier to ease the implementation of a Cloud EDMS
Related Documents 3h463d
Gamp Ppt x4b1a
October 2021 0
Gamp 9.ppt 5q2u3l
November 2019 44
Gamp y66s
April 2022 0
Gamp Classification 6e66
November 2019 167
Gamp 5 4o6b1y
November 2019 60
Ispe Gamp Gxp2nded Toc w5i6n
December 2019 39More Documents from "Notme Nosir" 1u4q17