Compliance in the Cloud Health Authority Regulators Overview · Compliance in the Cloud Health...
Transcript of Compliance in the Cloud Health Authority Regulators Overview · Compliance in the Cloud Health...
©2017 Waters Corporation 1 COMPANY CONFIDENTIAL
Compliance in the Cloud
Health Authority Regulators
Overview
©2017 Waters Corporation 2 COMPANY CONFIDENTIAL
A short list of likely benefits includes the following:
– A move from a capital expense model for software to an operating expense model, thus improving the
balance sheet
– Far easier methods to manage information flow between partners, suppliers, distributors and
licensees, speeding decisions and reducing mistakes
– Reduction in manual processing, non‐standard systems, and ‘work‐arounds’, improving GxP
compliance and reducing the risk of regulatory friction
– Improving visibility up and down the value chain, helping to avoid counterfeit products, serializing data,
improving demand planning and inventory management, and gaining pricing insights.
Cloud solutions are a double‐edged sword for QA
– There are tremendous benefits, but also legitimate concerns about how
GxP compliance requirements developed a decade ago can be met in a
cloud environment.
– It can be done.
Lachman Consultants
A whitepaper on Cloud and Life Sciences
©2017 Waters Corporation 3 COMPANY CONFIDENTIAL
Many regulated companies are using cloud hosting for clinical work
In this space, the separation from the regulated company is a good thing
– Blinded studies
In these cases they are often using SaaS PLUS expertise/services to process the data and create reports
Does this mean that FDA or other HA’s approve “the cloud”?
– No, they never approve an application or a technology…
– They review the company’s USE of it and raise any concerns
– Focus on the application and its use,
o not on the platforms used for delivery
Cloud used in Pharma today
©2017 Waters Corporation 4 COMPANY CONFIDENTIAL
Many regulations or guidances simply refer to “hosted services” in the same way as on premise services.
– Not opposed to the technology
Regulated companies still need to understand the different risks involved
– In many cases the risks are seriously reduced, i.e., in uptime/robustness and security
– Other aspects could increase risk
– Assessing the cloud supplier (like any other) is key
Most (but not all) cloud providers know about GxP regulations
– May produce a list of “certificates” but are these relevant to Life Sciences?
– Unlikely to have GxP standard SOPs, nor ability to host or ‘pass” GxP type audits
– 2/3 may offer to host a regulatory audit, but 1/3 never will
Don’t judge a Cloud Provider in the same way you might an on premise provider
– They will provide great security and resilience, but Pharma needs to take care of the compliance
Is Cloud OK in regulated environments?
©2017 Waters Corporation 5 COMPANY CONFIDENTIAL
ISPE
Cloud technologies and associate with RISK
©2017 Waters Corporation 6 COMPANY CONFIDENTIAL
Examples | Risk Consideration
Chris Reid: ISPE GAMP Increased
RISK Decreased
RISK
Outsourcing
Surrendered control
Outsource company has better processes
Virtualization
If a physical machine fails, the image finds new hardware to live on
Data in the Cloud
Better disaster recovery protection
Data is not on the regulated company’s asset
Provider selection: Amazon Web Services
Responsibility for performance & application management
Responsibility for security
Contracts and service level agreements
Service Provider business failure
©2017 Waters Corporation 7 COMPANY CONFIDENTIAL
Preferred cloud vendor of many regulated pharmaceutical companies
AWS whitepaper, with input from Pharma and Med Device companies and
reviewed by Lachmann Consultants
– Considerations for using AWS products in GxP Systems: Jan 2016
– Clarifies the compliance responsibilities of the Regulated Company and AWS to meet
GXP
– Illustrates, the changes from traditional deployment
Amazon Web services and GxP
©2017 Waters Corporation 8 COMPANY CONFIDENTIAL
Responsibility details goes on…..
©2017 Waters Corporation 9 COMPANY CONFIDENTIAL
Deploying software in automated ways reduces errors made by even skilled
engineers
Reducing variation between platforms/workspaces reducing risk and may
therefore reduce Qualification requirements using a documented risk based
approach
– This is the decision of the regulated company based on facts we can provide
Software driven deployment
©2017 Waters Corporation 10 COMPANY CONFIDENTIAL
Yes it does: FDA’s new Public Cloud Computing infrastructure enabled by OITI
For managing very large data sets:
– “FDA, partnering with state and local health organizations, identifies thousands of food borne
pathogen contaminants every year. We sequence, store and analyze this data to understand,
locate, and contain life-threatening outbreaks. Again, cloud computing aids us in this effort.”
– “OpenFDA is beginning with an initial pilot program involving the millions of reports of drug
adverse events and medication errors that have been submitted to the FDA from 2004 to
2013 and will later be expanded to include the agency’s databases on product recalls and
product labeling.”
“Through innovative methods such as cloud computing, we are taking advantage of
this flood tide of new information to continue to protect and promote the public health.”
Does the FDA use the cloud?
FDA Leverages Big Data Via Cloud Computing Posted on June 19, 2014 by FDA Voice By: Taha A. Kass-Hout, M.D., M.S.
©2017 Waters Corporation 11 COMPANY CONFIDENTIAL
Definition of ‘Systems’:
– The American National Standards Institute (ANSI) defines systems as people, machines, and
methods organized to accomplish a set of specific functions
– Computer or related systems can refer to computer hardware, software, peripheral devices,
networks, cloud infrastructure, operators, and associated documents (e.g., user manuals
and standard operating procedures)
Agencies’ proposed strategy and recommendations are based on the premise that risk
and corresponding controls should focus on health IT functionality – not on the
platform(s) (e.g. mobile, cloud-based, installed) on which such functionality resides
or the product name/description of which it is a part*
*FDASIA Health IT Report
FDA Data Integrity Guidance draft April 2016
©2017 Waters Corporation 12 COMPANY CONFIDENTIAL
Newest Guidance for Computerized systems in GLP
1.6. Supplier
– When suppliers (e.g. third parties, vendors, internal IT departments, service providers
including hosting service providers) are used to provide, install, configure, integrate,
validate, maintain, modify decommission or retain a computerized system or for services such
as data processing, data storage, archiving or cloud services, then written agreements
(contracts) should exist between the test facility and the supplier. These agreements should
include clear statements outlining the responsibilities of the supplier as well as clear
statements about data ownership.
– Hosted services (e.g. platform, software, data storage, archiving, backup or processes
as a service) should be treated like any other supplier service and require written
agreements describing the roles and responsibilities of each party. It is the responsibility of test
facility management to evaluate the relevant service and to estimate risks to data integrity and
data availability. Test facility management should be aware of potential risks resulting from the
uncontrolled use of hosted services.
OECD Guide 17 (Organization for Economic Co-operation and Development)