GAMP 5 as a Suitable Framework for Validation of Electronic

GAMP®5 as a Suitable

Framework for Validation

of Electronic Document

Management Systems

‘On Premise’ and 'In the

Cloud'

Keith Williams

CEO GxPi

The views and opinions expressed in the following PowerPoint slides

are those of the individual presenter and should not be attributed to

Drug Information Association, Inc. (“DIA”), its directors, officers,

employees, volunteers, members, chapters, councils, Special Interest

Area Communities or affiliates, or any organization with which the

presenter is employed or affiliated.

These PowerPoint slides are the intellectual property of the individual

presenter and are protected under the copyright laws of the United

States of America and other countries. Used by permission. All rights

reserved. Drug Information Association, DIA and DIA logo are

registered trademarks or trademarks of Drug Information Association

Inc. All other trademarks are the property of their respective owners.

Disclaimer

2 www.diahome.org Drug Information Association

• Group founded in 1991 in the UK from life sciences manufacturing

(not called GAMP®)

• First GAMP® (Good Automated Manufacturing Practice) guide

published in 1994

• Partnered with ISPE (International Society for Pharmaceutical

Engineering) in 1994

• GAMP® 4 (2001) included a lot of detail in terms of checklists,

templates, proposed “V” model etc.

• Replaced by a Quality Risk Management approach in GAMP® 5

(2008) plus IT related best practice guides (2005-2012)

• It’s a guideline, not a “Regulation”, but still widely followed

http://www.ispe.org/gamp5

History and evolution of GAMP®

Drug Information Association www.diahome.org 3




Context Trend of EDMS over the last 15-20 Years-

Matching the Evolution of GAMP®


COTS or Pre-

configured (OP and Hosted

EDMS)

Configured EDMS on platforms- still some development

(OP)

Mostly In-house developed EDMS or bespoke by supplier

(OP)

Validation approaches have had to adapt

to this change as more of the activities

transfer to ‘Outsourcing’ companies

(OP= ‘On-Premise’; Hosted may = Cloud)

1994

2002

2010

• In short, Yes it is suitable (otherwise this would be a short talk).

• It is a framework designed to ensure that computerised systems are

fit for purpose and compliant with current regulatory requirements

BUT

• It should be employed as part of, and alongside your Validation Master Plan (VMP)

• A specific Validation Plan (VP) should be produced for each GxP regulated system

• VP should focus on aspects related to patient safety, product quality and data

integrity

• You need to have a deep understanding of the underlying technologies that are being

employed in the Hosting of the Infrastructure, Platforms and Software applications

• You should leverage as much of the Suppliers’ expertise, testing and documentation

as possible (see examples later)

Can you Use GAMP® 5 for Validation of an EDMS for

‘On Premise’ and ‘Hosted in the Cloud’ deployment?


Why is GAMP® 5 useful now?


Click to edit Master title style

RISK ASSESSMENT AND OVERVIEW

OF TOOLS


• High Level Risk Assessment – do you need to

validate at all?

• Functional Risk Assessment – where should you

focus your efforts in terms of documentation and

testing?

How can a risk based approach cut costs?


Assessment- do you have a GxP Critical system?


GAMP 5 Risk based approach at a functional level


• Clear separation of Regulated Company and Supplier

Responsibilities

• Advice on managing the interface with suppliers, including

assessments / audits

• Full proposed set of documents, including “templates”

• Acknowledges differences between Information Systems and

computer-controlled “equipment”.

• Application of a Risk-based approach

• Categorisation of Software or Components

• Emphasis on the Validation Plan and Validation Report

• The end-result should be not just be an auditable set of documents,

but hopefully a computer system that does what it is meant to do!

What does GAMP 5 suggest?



VALIDATION OF AN EDMS

‘ON-PREMISE’ VS ‘CLOUD’


GAMP® 5 Compliance by adopting a life cycle

approach to Computerised Systems


• Platform Hardware (Servers and clients)

• Server Software (Platform and Application)

• Client Software

• EDMS Processes (Process Owner)

• EDMS Community (People, SME, System

Owner- may also be Process Owner)

The Main Components of an EDMS that need to be

managed


Cloud Computing -SaaS, Paas, Iaas,

• Cloud computing is a model for enabling ubiquitous, convenient, on-

demand network access to a shared pool of configurable computing

resources (e.g. networks, servers, storage, applications, and services) that

can be rapidly provisioned and released with minimal management effort or

service provider interaction.

• Software as a Service (SaaS). The capability provided to the consumer is

to use the provider’s applications running on a cloud infrastructure

• Platform as a Service (PaaS). The capability provided to the consumer is

to deploy onto the cloud infrastructure consumer-created or acquired

applications created using programming languages, libraries, services, and

tools supported by the provider.

• Infrastructure as a Service (IaaS). The capability provided to the

consumer is to provision processing, storage, networks, and other

fundamental computing resources where the consumer is able to deploy

and run arbitrary software, which can include operating systems and

applications

Some definitions of ‘Cloud’ and Hosting (outsourcing)


Cloud-, Private, Public, Community, and Hybrid

• Private cloud: The cloud infrastructure is provisioned for exclusive use by a single

organization comprising multiple consumers (e.g., business units). It may be owned,

managed, and operated by the organization, a third party, or some combination of

them, and it may exist on or off premises.

• Public cloud: The cloud infrastructure is provisioned for open use by the general

public. It may be owned, managed, and operated by a business, academic, or

government organization, or some combination of them. It exists on the premises of

the cloud provider.

• Community cloud: The cloud infrastructure is provisioned for exclusive use by a

specific community of consumers from organizations that have shared concerns (e.g.,

mission, security requirements, policy, and compliance considerations). It may be

owned, managed, and operated by one or more of the organizations in the

community, a third party, or some combination of them, and it may exist on or off

premises.

• Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud

infrastructures (private, community, or public) that remain unique entities, but are

bound together by standardized or proprietary technology that enables data and

application portability (e.g., cloud bursting for load balancing between clouds).

Some further definitions of ‘Cloud’ and Hosting

(outsourcing)


• Infrastructure and OS are treated as GAMP® Category 1

whether On Premise or Hosted

• The EDMS will be 3 if it is Pre-configured and deployed

without any major changes (not likely)

• The EDMS will be 4 if it is configured

• Category 5 we won’t cover here but your Software

Application provider should have validated their core

product to this

GAMP® 5 Categories and what to do


Service and Deployment models for On Premise and

Hosted and who controls and manages them


Hybrid Clouds can be combinations of On-premise, Private or Public

Example Component Categorisation for EDMS Cloud

Implementation


Service Components GAMP® Category

What to do? Who?

IaaS Hardware, Internet Connectivity, Power, Servers, Storage and RAM, VMWare, Hyper-V

1 Qualify and manage infrastructure. Audit procedures.

Infrastructure Vendor (IV). Application Vendor(AV) or Sponsor.

PaaS O/S, Windows Server, SharePoint and SQL

1 Qualify the stack. Manage / control ongoing changes. Audit procedures.

Platform Vendor (PV) PV. AV or Sponsor

SaaS e.g. Hosted EDMS 4 “Validate” the hosted application. URS and UAT

AV Sponsor

All the areas below will have difference between ‘On-

Premise and Hosted implementation


For EDMS Projects, the supplier involvement varies

with ‘On-Premise’ or Hosted Variations in these areas

• Regulated Company handles everything in-house

• Owns and manages corporate IT infrastructure,

relying on in-house IT department

• Sets up and qualifies separate machines / platforms /

environments for informal development, formal testing

and for live use

• Audits the software supplier

• Validates the application / system

‘On Premise’ qualification and validation management


• Regulated company uses private/public cloud-based

Software as a Service for submissible or inspectable

data

• Allows IaaS provider to manage infrastructure flexibly,

adjusting capacity and even location, as needed

• Relies on SaaS provider’s validation documentation

and testing of functionality

• Carries out minimal validation of software

configuration to meet basic user requirements

• Carries out audits of service providers

Hosted ‘Cloud’ qualification and validation

management



EXAMPLE OF CATEGORY 4 EDMS

QUALIFICATION


Area examined for a CAT4 EDMS example


EDMS Projects, the supplier involvement varies with

‘On-Premise’ or Hosted Variations

EDMS CAT 4 DETAILED PLAN

EXAMPLE

Category 4- Configuration of the EDMS


EDMS Cat 4: Project Activities, Deliverables and

Responsibilities Regulated Company and Supplier


How could this breakdown into activities for a multi-

supplier Cloud delivery?


Organisations: Activities:

Regulated Company

Software Developer

SaaS Provider

IaaS Provider

Validation Plan & Report

User Requirements & Acceptance Testing

Functional & Design Documentation

Installation Qualification

Incident Management

Infrastructure Qualification

Operational Change Control

Periodic Review

Note: Can use separate matrices for “Project” activities and “Ongoing Service”

• You can’t mitigate risks unless:

– You know what you are managing

– You know what the risks are

• Biggest problems with ‘Cloud’ are:

– Lack of understanding of what the ‘Cloud is’ (and is not!) and to what the

consistent terms are that apply to your company by Quality AND IT staff

– Lack of understanding of the enabling technologies, how they work and

interactions between them and other applications

• Suppliers Sell ‘Cloud’ services:

– Without understanding what the regulated company needs and where the risk is

– Without defining responsibilities

– Without appreciating and the cost of compliance the Life Science company

requires

*this is not unique to ‘Cloud’ suppliers, this is general outsourcing and Supplier management

misunderstanding, usually after the contracts have been signed by procurement and variations

occur

Summary of Compliance Risk Management in the

Cloud



SOME PRACTICAL EXAMPLES


Example 1

• Small Pharma Company (500 users) using on-premise

EDMS software for document management.

• Company keen to minimise IT costs so they set up their

server farm as virtual machines.

• Software supplier contractually responsible for software

Change Management, including regression testing.

• Software supplier using IaaS provider to host virtual test

environments, as part of the support provided.

Example 1: Lessons Learned

• Traditional ‘On-premise’ model project went to plan on

time and budget

• BUT; the capability to rapidly set-up an identical

“qualified” test environment greatly speeded up the

testing of an unrepeatable fault, the fix and then release

of controlled changes

• Good support from a specialised IaaS provider, keen to

explore ways of supporting Pharma clients

• Qualification of new virtual environments can also be

greatly speeded up, via use of executable scripts to

install the relevant files and to confirm that the

installation meets specifications

Example 2

• New “virtual” Pharma company using hosted SaaS for

electronic document management.

• The Software Product is highly configurable (as distinct

from customisable) to meet client business requirements

• Specialised software application / SaaS provider with

auditable development documentation ready for Pharma

clients.

• Extensive auditing carried out by Pharma Company-

leveraged the document set and experince of the

supplier

• Separate IaaS provider used for actual hosting, audited

by the SaaS provider

Example 2 : Lessons Learned

• Niche service providers do understand needs of Pharma

Clients, and expect to be audited ‘hard’ as part of

supplier selection

• SaaS provider can take on responsibility to audit and

manage the IaaS provider, including Infrastructure and

Installation Qualification and that can be audited by

Pharma Company.

• Suppliers need to be pragmatic when faced with multiple

opinions on compliance details from different clients-

make sure that they have a robust but cost effective

system

• Configuration of the application needs to be managed

carefully by the SaaS provider, with maximum input from

actual users


WHAT THE REGULATORS HAVE SAID

ABOUT CLOUD USAGE THIS YEAR


• That the Integrity of the Data is assured – Risks have been clearly identified & mitigated

– Client/Provider Contracts cover off key elements

– Supplier Quality Systems are adequate

• QMS, validation, change control, training

– Cybersecurity has been tested (ethical hacking?)

– Data Backup/Recovery processes are robust and fit

for requirements

– Evidence of Audits of Providers by FDA/ other Clients

What are regulators interested in

when they discover IT is ‘in the Cloud’?


• GAMP 5 is widely used and referenced in our

Industry

• It can help both Suppliers and Users of EDMS

• It can be applied to both on-premise and hosted

environments

• I would advocate closer ties with DIA and ISPE so

experiences and guidance can be shared and

knowledge built

SUMMARY


• Phil Harrison of GXPi

• Thana Subramanian of GE

• Randy Perez of Novartis (and Chair of ISPE)

• David Stokes of Business Decision

• ISPE for use of GAMP® material

• Fujitsu

Thanks for material and thoughts contributing to this

presentation go to:


Thanks for listening!!

Keith Williams ([email protected] )


mailto:[email protected]


REFERENCE MATERIAL


• Operation of GxP Computerized Systems (2010) – Regulators usually focus on the integrity, consistency, and completeness of controls required

to maintain compliance.

– Highlights the importance of the operation phase of the system lifecycle

– When the return on investment for the significant time and resource expended in

implementing new computerized systems can be achieved.

• IT Infrastructure Control & Compliance Guide – The validated status of EDMS applications that are dependent upon an underlying IT

Infrastructure

– Being updated for ‘Cloud’ elements

– ID and assessment of components

– Qualification

– Maintenance of the Qualified State

Other Resources- Best Practice Guides


• Testing of GxP Systems (2012) – Very Process and prescriptive Driven (around 200 pages)

– Helps maximize testing efficiency without compromising the quality of GxP Systems

– focusing testing on areas that have the greatest impact

– has been recently expanded and updated and reflects ICH Q8, Q9, and Q10

– contains new information on Cloud computing

• Global Information Systems Control & Compliance (2005) – Project Management on multiple geographic site Computer system projects

– Validation and Implementation approaches

– Global System management of Change Control

– Record retention

Other Resources- Best Practice Guides


• GAMP 5: http://www.ispe.org/gamp-5

• NIST: http://www.nist.gov/itl/cloud/index.cfm

• ICH: http://www.ich.org/

• Annex 11:http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-

2011_en.pdf

• 21CFR Part11:

http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm

• GAMP Community of Practice: http://www.ispe.org/gampcop

Useful References


http://www.ispe.org/gamp-5



http://www.nist.gov/itl/cloud/index.cfm

http://www.nist.gov/itl/cloud/index.cfm

http://www.ich.org/

http://www.ich.org/

http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf







http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm

http://www.ispe.org/gampcop

http://www.ispe.org/gampcop

How Risk Management ICH maps to GAMP® 5


• Has had a lot of thought gone into it in a pragmatic way

• Is process driven and risk based so you can use the framework to

do as much or as little as you see fit

• Gives you the latitude to do what is necessary for your business and

allocate appropriate resource

• Establishes a common language and terminology (BUT see ‘Cloud’

terms for further confusion)

• Has been harmonised where possible with other standards such as

ICH Q8, Q9 and Q10 and various ISO standards

• Is designed to be compatible with other computer and software

models and methods like ITIL, RUP etc.

• The validation of a computerised system to achieve and maintain

GxP compliance throughout the lifecycle of that system

• It clarifies scalability of and central role of Quality Risk Management

in a sensible justifiable approach to what you do (but document it!!)

The Advantages of using GAMP® 5


• May not fit well to your existing Quality process

• Comes from a Manufacturing/Production bias

• So there may be a feeling of ‘it doesn’t apply to me’

• Terminology and nomenclature may be different

• Less prescriptive than previous GAMP® iterations

• The risk based approach requires complete product, process and

technology understanding

• This in turn means you have to understand deeply the technologies

being employed and their quality impact, and/or employ or pay for

Subject Matter Experts (SMEs)

• For Hosting situations, you will require (and may have to educate)

your Supplier to manage their QMS and activities in a way

commensurate with GAMP® (see next slide)

• Cost- perceived and otherwise, but mostly getting everyone on the

same page and with agreed nomenclature

The Disadvantages of using GAMP® 5


• Minimise the risk that something goes wrong with the end

customer’s health and safety

• Keep the regulators confident in your business and prevent them

issuing restrictions and actions against you (note: they require to

see documented evidence in Human Readable format)

BUT

• Cost of compliance adds to cost of doing things and ultimately cost

of goods (which we want to reduce)

• Computer System Validation (and GAMP®) was traditionally

associated with extra workload and greatly increased costs of

compliance

Just a reflection on why we bother to validate?


• Change control: Sometimes even minor software tweaks or patching,

whether necessary or not, can cause major breakdown. The rigour of

change management, impact assessment and testing adds to the work

burden and short term cost (and is one that the supplier may not be used to)

• QMS: Infrastructure suppliers may prefer not to work within the confines of

specifications and procedures developed by others (Pharma Sector). If you

are going to rely on suppliers, they may not want to bear the cost of

implementing a formal QMS that will tick all of your requirements, especially

the ‘cloud’ providers who have many other customers

• Documentation: Effective documentation management is fundamental to

demonstrate compliance, again suppliers may not be able to manage this,

or their training records, auditing of their suppliers etc.

Challenges of imposing GAMP® 5 on Suppliers of

Hosted Services for the Life Sciences sector


Minimum

• Documents and schematics that are understandable by the non-expert

• They manage change in an acceptable manner

• They have clear contracts and allocation of responsibilities

• They have been audited by other regulated companies

• They audit their suppliers

• Suitable test scripts for their environment to prove security and data integrity

Ideally

• They have detailed experience of the compliance needs of the Life Sciences industry

and tools to aid and ensure that compliance is achieved efficiently

• They have validation documents of a suitable quality that allows you to leverage,

using risk-based approach to reduce your validation effort

• They can clearly communicate and educate complex technology environments to

your team so they can understand the operation and design elements

• They have been audited by other Life Sciences companies

• They have a robust and suitable QMS that matches Life Sciences industry

expectations

• They have adequate Subject Matter Experts that span IT technical and compliance

Some things to look for in a Supplier to ease the

implementation of a Cloud EDMS


GAMP 5 as a Suitable Framework for Validation of Electronic

Documents

Transcript of GAMP 5 as a Suitable Framework for Validation of Electronic