Compliance in the Cloud Health Authority Regulators Overview · Compliance in the Cloud Health...

©2017 Waters Corporation 1 COMPANY CONFIDENTIAL

Compliance in the Cloud

Health Authority Regulators

Overview


A short list of likely benefits includes the following:

– A move from a capital expense model for software to an operating expense model, thus improving the

balance sheet

– Far easier methods to manage information flow between partners, suppliers, distributors and

licensees, speeding decisions and reducing mistakes

– Reduction in manual processing, non‐standard systems, and ‘work‐arounds’, improving GxP

compliance and reducing the risk of regulatory friction

– Improving visibility up and down the value chain, helping to avoid counterfeit products, serializing data,

improving demand planning and inventory management, and gaining pricing insights.

Cloud solutions are a double‐edged sword for QA

– There are tremendous benefits, but also legitimate concerns about how

GxP compliance requirements developed a decade ago can be met in a

cloud environment.

– It can be done.

Lachman Consultants

A whitepaper on Cloud and Life Sciences


Many regulated companies are using cloud hosting for clinical work

In this space, the separation from the regulated company is a good thing

– Blinded studies

In these cases they are often using SaaS PLUS expertise/services to process the data and create reports

Does this mean that FDA or other HA’s approve “the cloud”?

– No, they never approve an application or a technology…

– They review the company’s USE of it and raise any concerns

– Focus on the application and its use,

o not on the platforms used for delivery

Cloud used in Pharma today


Many regulations or guidances simply refer to “hosted services” in the same way as on premise services.

– Not opposed to the technology

Regulated companies still need to understand the different risks involved

– In many cases the risks are seriously reduced, i.e., in uptime/robustness and security

– Other aspects could increase risk

– Assessing the cloud supplier (like any other) is key

Most (but not all) cloud providers know about GxP regulations

– May produce a list of “certificates” but are these relevant to Life Sciences?

– Unlikely to have GxP standard SOPs, nor ability to host or ‘pass” GxP type audits

– 2/3 may offer to host a regulatory audit, but 1/3 never will

Don’t judge a Cloud Provider in the same way you might an on premise provider

– They will provide great security and resilience, but Pharma needs to take care of the compliance

Is Cloud OK in regulated environments?


ISPE

Cloud technologies and associate with RISK


Examples | Risk Consideration

Chris Reid: ISPE GAMP Increased

RISK Decreased

RISK

Outsourcing

Surrendered control

Outsource company has better processes

Virtualization

If a physical machine fails, the image finds new hardware to live on

Data in the Cloud

Better disaster recovery protection

Data is not on the regulated company’s asset

Provider selection: Amazon Web Services

Responsibility for performance & application management

Responsibility for security

Contracts and service level agreements

Service Provider business failure


Preferred cloud vendor of many regulated pharmaceutical companies

AWS whitepaper, with input from Pharma and Med Device companies and

reviewed by Lachmann Consultants

– Considerations for using AWS products in GxP Systems: Jan 2016

– Clarifies the compliance responsibilities of the Regulated Company and AWS to meet

GXP

– Illustrates, the changes from traditional deployment

Amazon Web services and GxP


Responsibility details goes on…..


Deploying software in automated ways reduces errors made by even skilled

engineers

Reducing variation between platforms/workspaces reducing risk and may

therefore reduce Qualification requirements using a documented risk based

approach

– This is the decision of the regulated company based on facts we can provide

Software driven deployment


Yes it does: FDA’s new Public Cloud Computing infrastructure enabled by OITI

For managing very large data sets:

– “FDA, partnering with state and local health organizations, identifies thousands of food borne

pathogen contaminants every year. We sequence, store and analyze this data to understand,

locate, and contain life-threatening outbreaks. Again, cloud computing aids us in this effort.”

– “OpenFDA is beginning with an initial pilot program involving the millions of reports of drug

adverse events and medication errors that have been submitted to the FDA from 2004 to

2013 and will later be expanded to include the agency’s databases on product recalls and

product labeling.”

“Through innovative methods such as cloud computing, we are taking advantage of

this flood tide of new information to continue to protect and promote the public health.”

Does the FDA use the cloud?

FDA Leverages Big Data Via Cloud Computing Posted on June 19, 2014 by FDA Voice By: Taha A. Kass-Hout, M.D., M.S.

http://blogs.fda.gov/fdavoice/index.php/2014/06/fda-leverages-big-data-via-cloud-computing/

http://blogs.fda.gov/fdavoice/index.php/author/mcooper/


Definition of ‘Systems’:

– The American National Standards Institute (ANSI) defines systems as people, machines, and

methods organized to accomplish a set of specific functions

– Computer or related systems can refer to computer hardware, software, peripheral devices,

networks, cloud infrastructure, operators, and associated documents (e.g., user manuals

and standard operating procedures)

Agencies’ proposed strategy and recommendations are based on the premise that risk

and corresponding controls should focus on health IT functionality – not on the

platform(s) (e.g. mobile, cloud-based, installed) on which such functionality resides

or the product name/description of which it is a part*

*FDASIA Health IT Report

FDA Data Integrity Guidance draft April 2016


Newest Guidance for Computerized systems in GLP

1.6. Supplier

– When suppliers (e.g. third parties, vendors, internal IT departments, service providers

including hosting service providers) are used to provide, install, configure, integrate,

validate, maintain, modify decommission or retain a computerized system or for services such

as data processing, data storage, archiving or cloud services, then written agreements

(contracts) should exist between the test facility and the supplier. These agreements should

include clear statements outlining the responsibilities of the supplier as well as clear

statements about data ownership.

– Hosted services (e.g. platform, software, data storage, archiving, backup or processes

as a service) should be treated like any other supplier service and require written

agreements describing the roles and responsibilities of each party. It is the responsibility of test

facility management to evaluate the relevant service and to estimate risks to data integrity and

data availability. Test facility management should be aware of potential risks resulting from the

uncontrolled use of hosted services.

OECD Guide 17 (Organization for Economic Co-operation and Development)

Compliance in the Cloud Health Authority Regulators Overview · Compliance in the Cloud Health...

Documents

Transcript of Compliance in the Cloud Health Authority Regulators Overview · Compliance in the Cloud Health...